Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Only Boot to Safe Mode after virus attack


  • This topic is locked This topic is locked
28 replies to this topic

#1 johnsig

johnsig

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 27 March 2011 - 08:25 PM

I have a Toshiba Laptop which I connect wirelessly to my Home network using a lynksys router. OS is Vista Home Premium. I am using Windows firewall, AVG antivirus, Spybot S&D, and Spywareblaster. Everything is updated frequently. Occasionally I also run Malwarebytes. At this point, if I try to start Windows normally it boots up to my desktop with a Form titled System Properties superimposed which can be easily closed. After about 5 seconds a blue screen with white printing appears for an instant (too brief to read) and the computer reboots to the point where I can select bootup in normal mode or one of 3 safe modes. If I select normal mode the exact same procedure is repeated so my only choice is safe mode. The computer boots to safe mode normally except that same form appears (never happened before today). I was going to try a system restore but couldn't figure out how to do it from safe mode.

HOW I GOT HERE

For several weeks I have been having problems with advertising web sites opening by themselves underneath the page that I am browsing. This happens both with IE and Firefox. Many times these self opening web sites are advertising sites, occasionally invalid links and once in a while trigger a warning from one of the tools that I run. Upon consulting another technical forum, I was told these were "popunders" and not malware and was advised to try anti scripting tools to thwart them.

About a week ago I started getting redirects on many searches done with google, in that I would click on a result and it would take me to a totally unrelated web page.

Yesterday and today I started getting virus infection warnings. These infections I have been able to heal or remove, but they keep occurring, sometimes even when I don't have a web browser open. Today AVG told me I had been infected and it had taken care of them. I then ran Malwarebytes aqnd it identified 10 infections which it said it would clean upon reboot. Upon reboot it reported the system clean but a scan with AVG revealed two infections one of which it said it could clean, the other it said it couldn't.

If a fit of desperation I ran TDSSkiller by Kapersky and it found something and removed it. In that removal process the computer rebooted itself and I find myself in the present situation.

Also today I was periodically getting a message to the effect that "A Windows service host has stopped working ..........." I am unable to reproduce that in my current state.

I may be able to post logs from Malwarebytes and/or AVG if that would be helpful.

Can anyone get me back to normal mode and help me clean up my mess? Is it possible my network is compromised, it is supposed to be secure.

We did this with my desktop a couple of years ago (much different symptoms) and you guys were great.

Thanks in advance

Push comes to shove, I have recovery disks which should restore my computer to the state in which I bought it.

Edited by Budapest, 29 March 2011 - 05:23 PM.
Moved from AII ~BP


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 28 March 2011 - 01:31 PM

If you're able to please post the TDSSKiller, MalwareBytes' Anti-Malware logs (where things were found), and AVG logs.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 28 March 2011 - 03:23 PM

Thanks for your reply. I can't find the AVG log (it won't open to main page from safe mode apparently)

I am connecting from safe mode using networking.

Here are the logs from TDSSkiller and Malwarebytes which found infections:

2011/03/27 19:30:42.0368 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
2011/03/27 19:30:42.0368 ================================================================================
2011/03/27 19:30:42.0368 SystemInfo:
2011/03/27 19:30:42.0368
2011/03/27 19:30:42.0368 OS Version: 6.0.6002 ServicePack: 2.0
2011/03/27 19:30:42.0368 Product type: Workstation
2011/03/27 19:30:42.0368 ComputerName: SIGLER-PC
2011/03/27 19:30:42.0368 UserName: Sigler
2011/03/27 19:30:42.0368 Windows directory: C:\Windows
2011/03/27 19:30:42.0368 System windows directory: C:\Windows
2011/03/27 19:30:42.0368 Processor architecture: Intel x86
2011/03/27 19:30:42.0368 Number of processors: 2
2011/03/27 19:30:42.0368 Page size: 0x1000
2011/03/27 19:30:42.0368 Boot type: Normal boot
2011/03/27 19:30:42.0368 ================================================================================
2011/03/27 19:30:42.0711 Initialize success
2011/03/27 19:30:44.0880 ================================================================================
2011/03/27 19:30:44.0880 Scan started
2011/03/27 19:30:44.0880 Mode: Manual;
2011/03/27 19:30:44.0880 ================================================================================
2011/03/27 19:30:46.0845 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/03/27 19:30:47.0110 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/03/27 19:30:47.0266 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/03/27 19:30:47.0407 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/03/27 19:30:47.0469 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/03/27 19:30:47.0719 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/03/27 19:30:47.0968 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/03/27 19:30:48.0109 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/03/27 19:30:48.0249 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/03/27 19:30:48.0327 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/03/27 19:30:48.0483 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/03/27 19:30:48.0561 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/03/27 19:30:48.0655 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/03/27 19:30:48.0702 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/03/27 19:30:48.0842 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/03/27 19:30:48.0920 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/03/27 19:30:48.0998 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/27 19:30:49.0154 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/03/27 19:30:49.0372 AVGIDSDriver (5f6c56305ea73760cdafc7604d64bbe0) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/03/27 19:30:49.0560 AVGIDSEH (20a2d48722cf055c846bdeafa4f733ce) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/03/27 19:30:49.0747 AVGIDSFilter (0a95333ca80ca8b79d612f3965466cc0) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/03/27 19:30:49.0794 AVGIDSShim (ab7e4b37126447ffe4fb639901012fb3) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/03/27 19:30:49.0903 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/03/27 19:30:49.0996 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/03/27 19:30:50.0059 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/03/27 19:30:50.0106 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/03/27 19:30:50.0355 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/03/27 19:30:50.0480 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/03/27 19:30:50.0542 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/27 19:30:50.0620 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/03/27 19:30:50.0683 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/03/27 19:30:50.0964 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/03/27 19:30:51.0120 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/03/27 19:30:51.0198 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/03/27 19:30:51.0260 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/03/27 19:30:51.0416 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/03/27 19:30:51.0510 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/27 19:30:51.0775 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/27 19:30:51.0993 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/03/27 19:30:52.0056 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/03/27 19:30:52.0243 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/27 19:30:52.0305 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/03/27 19:30:52.0352 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/27 19:30:52.0524 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/03/27 19:30:52.0664 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/03/27 19:30:52.0804 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/03/27 19:30:52.0898 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/03/27 19:30:53.0054 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/03/27 19:30:53.0163 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/27 19:30:53.0397 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/03/27 19:30:53.0584 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/03/27 19:30:53.0725 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/03/27 19:30:53.0881 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/03/27 19:30:54.0037 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/03/27 19:30:54.0177 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/03/27 19:30:54.0302 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/27 19:30:54.0396 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/03/27 19:30:54.0536 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/03/27 19:30:54.0754 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/27 19:30:54.0832 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/03/27 19:30:54.0988 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/27 19:30:55.0051 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
2011/03/27 19:30:55.0113 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/03/27 19:30:55.0207 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/03/27 19:30:55.0347 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/03/27 19:30:55.0425 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/27 19:30:55.0581 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/03/27 19:30:55.0722 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/03/27 19:30:55.0846 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/27 19:30:56.0018 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/03/27 19:30:56.0112 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/03/27 19:30:56.0158 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/03/27 19:30:56.0236 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/27 19:30:56.0330 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\Windows\system32\DRIVERS\iaStor.sys
2011/03/27 19:30:56.0502 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/03/27 19:30:56.0767 igfx (038815297078d236d8cc064c295a74c6) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/27 19:30:56.0985 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/03/27 19:30:57.0110 IntcAzAudAddService (8a4341616976e47712b60f18c7049dcc) C:\Windows\system32\drivers\RTKVHDA.sys
2011/03/27 19:30:57.0406 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/03/27 19:30:57.0484 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/27 19:30:57.0750 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/27 19:30:58.0077 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/03/27 19:30:58.0186 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/03/27 19:30:58.0327 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/03/27 19:30:58.0498 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/03/27 19:30:58.0592 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/27 19:30:58.0701 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/03/27 19:30:58.0779 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/03/27 19:30:58.0842 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/27 19:30:58.0951 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2011/03/27 19:30:59.0044 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
2011/03/27 19:30:59.0091 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
2011/03/27 19:30:59.0154 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/27 19:30:59.0232 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/27 19:30:59.0372 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/03/27 19:30:59.0419 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/03/27 19:30:59.0512 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/03/27 19:30:59.0575 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/03/27 19:30:59.0840 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/03/27 19:30:59.0934 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/03/27 19:31:00.0090 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/03/27 19:31:00.0152 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/27 19:31:00.0277 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/27 19:31:00.0448 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/27 19:31:00.0480 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/03/27 19:31:00.0542 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/03/27 19:31:00.0776 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/27 19:31:00.0838 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/03/27 19:31:00.0932 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/27 19:31:01.0010 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/27 19:31:01.0104 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/27 19:31:01.0150 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/27 19:31:01.0260 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/03/27 19:31:01.0447 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/03/27 19:31:01.0572 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/03/27 19:31:01.0806 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/03/27 19:31:01.0899 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/27 19:31:02.0149 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/27 19:31:02.0289 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/03/27 19:31:02.0383 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/03/27 19:31:02.0508 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/27 19:31:02.0773 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/03/27 19:31:02.0991 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/03/27 19:31:03.0069 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/27 19:31:03.0210 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/03/27 19:31:03.0366 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/27 19:31:03.0459 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/27 19:31:03.0615 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/27 19:31:03.0787 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/03/27 19:31:03.0912 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/27 19:31:04.0036 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/27 19:31:04.0302 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
2011/03/27 19:31:04.0676 NETw4v32 (6522dd40a5f67ced020bd81b856613fb) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/03/27 19:31:05.0019 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/03/27 19:31:05.0128 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/03/27 19:31:05.0269 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/27 19:31:05.0362 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/03/27 19:31:05.0487 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/03/27 19:31:05.0534 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/03/27 19:31:05.0674 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/03/27 19:31:05.0752 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/03/27 19:31:05.0893 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/03/27 19:31:06.0298 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/03/27 19:31:06.0361 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/03/27 19:31:06.0423 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/03/27 19:31:06.0470 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/03/27 19:31:06.0704 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/03/27 19:31:06.0798 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/03/27 19:31:06.0876 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/03/27 19:31:07.0125 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/03/27 19:31:07.0359 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/27 19:31:07.0484 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/03/27 19:31:07.0609 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/27 19:31:07.0671 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2011/03/27 19:31:07.0843 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/03/27 19:31:08.0014 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/03/27 19:31:08.0186 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/27 19:31:08.0389 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/27 19:31:08.0607 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/27 19:31:08.0841 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/27 19:31:09.0013 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/27 19:31:09.0231 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/27 19:31:09.0340 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/27 19:31:09.0465 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/03/27 19:31:09.0684 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/27 19:31:09.0855 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/03/27 19:31:10.0183 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/27 19:31:10.0292 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/03/27 19:31:10.0479 RTSTOR (4f31cfdebd0a5bc27d45e7ebfefaaf6f) C:\Windows\system32\drivers\RTSTOR.SYS
2011/03/27 19:31:10.0635 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/03/27 19:31:10.0932 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/27 19:31:11.0212 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/03/27 19:31:11.0275 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/03/27 19:31:11.0415 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/03/27 19:31:11.0680 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/03/27 19:31:11.0836 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/03/27 19:31:11.0977 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/03/27 19:31:12.0242 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/03/27 19:31:12.0336 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/03/27 19:31:12.0538 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/03/27 19:31:12.0648 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/03/27 19:31:12.0866 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/03/27 19:31:13.0006 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/03/27 19:31:13.0287 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/03/27 19:31:13.0365 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/27 19:31:13.0584 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/27 19:31:13.0942 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/27 19:31:14.0192 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/03/27 19:31:14.0348 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/03/27 19:31:14.0551 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/03/27 19:31:14.0738 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
2011/03/27 19:31:15.0050 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/03/27 19:31:15.0424 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/27 19:31:15.0721 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/27 19:31:16.0002 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
2011/03/27 19:31:16.0189 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/03/27 19:31:16.0314 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/03/27 19:31:16.0438 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/27 19:31:16.0579 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/27 19:31:16.0782 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
2011/03/27 19:31:17.0016 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/27 19:31:17.0094 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/03/27 19:31:17.0203 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/27 19:31:17.0343 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
2011/03/27 19:31:17.0437 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/03/27 19:31:17.0515 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/27 19:31:17.0671 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/03/27 19:31:17.0858 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/03/27 19:31:17.0983 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/03/27 19:31:18.0170 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/03/27 19:31:18.0248 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/27 19:31:18.0373 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/27 19:31:18.0451 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/03/27 19:31:18.0591 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/27 19:31:18.0669 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/27 19:31:18.0794 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/03/27 19:31:18.0872 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/03/27 19:31:18.0950 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/27 19:31:19.0012 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/27 19:31:19.0262 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/03/27 19:31:19.0402 UVCFTR (8c5094a8ab24de7496c7c19942f2df04) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2011/03/27 19:31:19.0636 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/27 19:31:19.0839 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/03/27 19:31:20.0167 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/03/27 19:31:20.0338 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/03/27 19:31:20.0463 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/03/27 19:31:20.0541 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/03/27 19:31:20.0853 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/03/27 19:31:21.0103 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/03/27 19:31:21.0259 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/03/27 19:31:21.0524 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/03/27 19:31:21.0805 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/27 19:31:21.0820 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/27 19:31:22.0132 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/03/27 19:31:22.0273 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/27 19:31:22.0569 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2011/03/27 19:31:22.0834 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/27 19:31:23.0022 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/27 19:31:23.0100 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/27 19:31:23.0100 ================================================================================
2011/03/27 19:31:23.0100 Scan finished
2011/03/27 19:31:23.0100 ================================================================================
2011/03/27 19:31:23.0131 Detected object count: 1
2011/03/27 19:31:45.0361 \HardDisk0 - will be cured after reboot
2011/03/27 19:31:45.0361 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/27 19:31:52.0022 Deinitialize success




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6183

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/27/2011 11:53:54 AM
mbam-log-2011-03-27 (11-53-54).txt

Scan type: Quick scan
Objects scanned: 151418
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\TEMP\3E39.tmp (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ccamicogice (Trojan.Agent.U) -> Value: Ccamicogice -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\TEMP\3E39.tmp (Trojan.FakeAlert) -> Delete on reboot.
c:\Windows\TEMP\1D80.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\TEMP\1F15.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\TEMP\253E.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Windows\TEMP\3E49.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\ivosabamo.dll (Trojan.Agent.U) -> Delete on reboot.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 29 March 2011 - 03:03 PM

Hello,

The main infection that you are/were infected with is called TDL4.

See snippet below:

2011/03/27 19:31:23.0131 Detected object count: 1
2011/03/27 19:31:45.0361 \HardDisk0 - will be cured after reboot
2011/03/27 19:31:45.0361 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/27 19:31:52.0022 Deinitialize success


You can read more about this infection here:

Thanks to quietman7 for providing the above links.


This is what I tell my users when they have this infection:

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Lets run an updated MalwareBytes' Anti-Malware scan:

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



What outstanding issues (if any) are you currently experiencing?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 29 March 2011 - 04:54 PM

I'm going to opt for cleaning. This computer has not been used extensively for financial transactions and there is no resident financial information. We are planning to change passwords at financial institutions anyway as something we probably should do anyway.

In safe mode, none of the antivirus, anti spyware things I have seem to be operating and I couldn't figure out how to disable them without uninstalling so I went ahead and executed ESET and it didn't complain.

So here is the log from Malwarebytes and the ESET Online results:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6208

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019

3/29/2011 4:28:12 PM
mbam-log-2011-03-29 (16-28-12).txt

Scan type: Quick scan
Objects scanned: 149940
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\TEMP\ecnmrxaows.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Sigler\local settings\sLAPri.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Sigler\local settings\application data\sLAPri.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.





ESET results


C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application


Outstanding issues: have been avoiding using this computer until clean but it still will not boot in normal mode -- desktop followed by screen of death as described above.
Of course the beasties found by ESET have not been removed.

Awaiting your advice. Thanks much.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 29 March 2011 - 05:07 PM

johnsig,

Note: I have asked a moderator to move this thread to the Malware forum, as it will enable me to use more powerful tools.

I'll remove these two infections via script below.

C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application


We will need to download some tools. If you're not able to boot into Normal mode then you will need to boot into Safe Mode with Networking to download these tools.


Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    :Services
    :Reg
    :Files
    C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D\
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [createrestorepoint]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 March 2011 - 08:28 AM

Sorry for the delay, I didn't expect your reply so quickly. Will check more frequently from now on.

Still in safe mode with networking.

Here are the results from OTM and OTL

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Users\Sigler\AppData\Roaming\024D0571518543E685983F04E70EBC1D folder moved successfully.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\Windows\system32\drivers\etc\hosts
C:\Users\Sigler\Downloads\cmd.bat deleted successfully.
C:\Users\Sigler\Downloads\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sigler\Downloads\cmd.bat deleted successfully.
C:\Users\Sigler\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 83 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Sigler
->Temp folder emptied: 3984786 bytes
->Temporary Internet Files folder emptied: 12131056 bytes
->Java cache emptied: 497652 bytes
->FireFox cache emptied: 63932963 bytes
->Flash cache emptied: 15866144 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1900437 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 36053336 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 18833 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 128.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Error creating restore point.

OTM by OldTimer - Version 3.1.17.2 log created on 03302011_091052









OTL logfile created on: 3/30/2011 9:20:12 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Sigler\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 123.47 Gb Free Space | 66.80% Space Free | Partition Type: NTFS
Drive E: | 1.46 Gb Total Space | 1.31 Gb Free Space | 89.47% Space Free | Partition Type: NTFS

Computer Name: SIGLER-PC | User Name: Sigler | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/30 09:19:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Sigler\Downloads\OTL.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/03/30 09:19:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Sigler\Downloads\OTL.exe
MOD - [2010/08/31 11:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2011/01/06 16:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/22 05:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/10/06 11:31:48 | 000,517,448 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2009/11/19 22:39:16 | 000,062,264 | ---- | M] (Duality Software) [Auto | Stopped] -- C:\Program Files\DS Clock\dsetime.exe -- (DSClockSyncTime)
SRV - [2009/02/15 13:49:00 | 002,794,234 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/07/15 17:38:32 | 000,394,608 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2008/01/21 19:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/17 19:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 17:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/23 20:27:16 | 000,066,928 | ---- | M] () [Auto | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 22:47:50 | 000,136,816 | ---- | M] () [Auto | Stopped] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2010/12/08 05:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 14:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/13 16:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 03:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 03:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 21:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 21:42:38 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/19 21:42:36 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/06/23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/01/21 18:42:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/20 22:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/12/17 14:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/26 09:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 18:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/10/18 15:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/?_bc=1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: avg@igeared:6.103.018.001
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.9.9
FF - prefs.js..extensions.enabledItems: {C2C21D52-34A0-4525-AA2E-8855308D98F1}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/12/28 09:33:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2011/03/24 08:22:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{C2C21D52-34A0-4525-AA2E-8855308D98F1}: C:\Windows\system32\config\systemprofile\AppData\Local\{C2C21D52-34A0-4525-AA2E-8855308D98F1}\ [2011/03/27 11:50:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 11:32:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 11:32:19 | 000,000,000 | ---D | M]

[2008/08/26 09:06:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sigler\AppData\Roaming\Mozilla\Extensions
[2011/03/29 16:42:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Sigler\AppData\Roaming\Mozilla\Firefox\Profiles\tyvy4m5s.default\extensions
[2011/03/12 08:46:09 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Sigler\AppData\Roaming\Mozilla\Firefox\Profiles\tyvy4m5s.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/03/27 11:23:51 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Sigler\AppData\Roaming\Mozilla\Firefox\Profiles\tyvy4m5s.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/29 16:42:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/20 14:16:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/12/28 09:33:32 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX
[2011/03/24 08:22:18 | 000,000,000 | ---D | M] ("urn:mozilla:install-manifest" em:id="avg@igeared" em:name="AVG Security Toolbar" em:version="6.103.018.001" em:displayname="AVG Security Toolbar" em:iconURL="chrome://tavgp/skin/logo.ico" em:creator="AVG Technologies" em:description="AVG Security Toolbar" em:homepageURL="http://www.avg.com" >) -- C:\PROGRAM FILES\AVG\AVG10\TOOLBAR\FIREFOX\AVG@IGEARED
[2011/03/27 11:50:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\{C2C21D52-34A0-4525-AA2E-8855308D98F1}
[2010/12/20 14:16:42 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/11/24 12:12:30 | 000,120,296 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npganymedenet.dll
[2007/05/11 17:41:00 | 000,200,704 | ---- | M] (Ancestry.com) -- C:\Program Files\Mozilla Firefox\plugins\npImgCtl.dll
[2010/12/09 06:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2011/03/30 09:11:37 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} http://dl.tvunetworks.com/TVUAx.cab (CTVUAxCtrl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.64.202 213.109.73.173 1.1.1.1
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/30 09:10:52 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/03/29 16:45:22 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/27 11:50:32 | 000,000,000 | ---D | C] -- C:\Windows\Profiles
[2011/03/26 07:41:49 | 000,000,000 | ---D | C] -- C:\Users\Sigler\AppData\Roaming\OfferBox
[2011/03/23 11:32:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
[2011/03/23 08:11:31 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/23 08:11:31 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/03/09 14:09:21 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 14:09:21 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 14:09:21 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 14:09:21 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2010/11/19 15:31:38 | 000,331,776 | ---- | C] ( ) -- C:\Windows\System32\Interop.WMPLib.DLL
[2010/11/19 15:31:38 | 000,139,264 | ---- | C] ( ) -- C:\Windows\System32\Interop.SHDocVw.dll
[2010/11/19 15:31:38 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\Interop.QTOLibrary.dll
[2010/11/19 15:31:38 | 000,032,768 | ---- | C] ( ) -- C:\Windows\System32\Interop.ShockwaveFlashObjects.dll
[2010/11/19 15:31:38 | 000,032,768 | ---- | C] ( ) -- C:\Windows\System32\Interop.QTOControlLib.dll

========== Files - Modified Within 30 Days ==========

[2011/03/30 09:18:28 | 000,603,516 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/30 09:18:28 | 000,103,586 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/30 09:14:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/30 09:13:58 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2011/03/30 09:12:54 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/30 09:11:37 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/03/29 16:28:59 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\dcmdm.sys
[2011/03/27 19:51:24 | 000,000,680 | ---- | M] () -- C:\Users\Sigler\AppData\Local\d3d9caps.dat
[2011/03/27 19:33:10 | 000,000,394 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{38D996EC-733E-4E0E-9F5C-490D93A144AB}.job
[2011/03/27 19:32:06 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/27 19:32:06 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/27 19:31:53 | 110,105,053 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/03/27 19:28:32 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/27 11:56:38 | 000,000,885 | ---- | M] () -- C:\Users\Sigler\Desktop\Windows Media Player.lnk
[2011/03/27 11:49:12 | 000,007,223 | ---- | M] () -- C:\Windows\Sigler8.xlb
[2011/03/27 09:56:57 | 000,000,041 | ---- | M] () -- C:\Windows\Filzip.ini
[2011/03/26 16:34:46 | 000,001,516 | -HS- | M] () -- C:\ProgramData\yrrcy352tp0qhx4l04375347
[2011/03/05 11:16:13 | 000,000,715 | ---- | M] () -- C:\Users\Sigler\Desktop\CCleaner.lnk
[2011/03/01 14:48:31 | 000,430,185 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110325-111042.backup

========== Files Created - No Company Name ==========

[2011/03/29 16:28:59 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\dcmdm.sys
[2011/03/27 19:46:38 | 000,000,680 | ---- | C] () -- C:\Users\Sigler\AppData\Local\d3d9caps.dat
[2011/03/27 19:33:01 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2011/03/27 11:56:38 | 000,000,885 | ---- | C] () -- C:\Users\Sigler\Desktop\Windows Media Player.lnk
[2011/03/27 09:56:06 | 000,000,394 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{38D996EC-733E-4E0E-9F5C-490D93A144AB}.job
[2011/03/26 16:34:46 | 000,001,516 | -HS- | C] () -- C:\ProgramData\yrrcy352tp0qhx4l04375347
[2011/03/05 11:16:13 | 000,000,715 | ---- | C] () -- C:\Users\Sigler\Desktop\CCleaner.lnk
[2010/12/22 16:40:24 | 000,009,528 | ---- | C] () -- C:\Windows\System32\OxigenServiceContracts.dll
[2010/11/29 23:30:56 | 000,007,168 | ---- | C] () -- C:\Windows\System32\OxigenCompiledRegexes.dll
[2010/11/19 15:31:38 | 000,061,440 | ---- | C] () -- C:\Windows\System32\AxInterop.WMPLib.dll
[2010/11/19 15:31:38 | 000,028,672 | ---- | C] () -- C:\Windows\System32\AxInterop.ShockwaveFlashObjects.dll
[2010/11/19 15:31:38 | 000,028,672 | ---- | C] () -- C:\Windows\System32\AxInterop.QTOControlLib.dll
[2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/06/21 10:04:36 | 000,024,227 | ---- | C] () -- C:\Users\Sigler\AppData\Roaming\UserTile.png
[2009/05/27 12:58:19 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/05/27 12:58:18 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/04 15:03:00 | 000,059,904 | ---- | C] () -- C:\Windows\System32\zlib1.dll
[2009/05/04 14:53:28 | 000,286,720 | ---- | C] () -- C:\Windows\System32\libcurl.dll
[2009/05/04 14:53:10 | 000,143,360 | ---- | C] () -- C:\Windows\System32\libexpatw.dll
[2009/04/24 08:24:49 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2008/07/23 07:42:59 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/08 12:53:51 | 000,000,957 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/07/08 12:53:51 | 000,000,611 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/06/30 11:55:32 | 000,000,041 | ---- | C] () -- C:\Windows\Filzip.ini
[2008/05/03 08:26:31 | 000,001,708 | ---- | C] () -- C:\Windows\mozver.dat
[2008/05/01 16:05:18 | 000,030,720 | ---- | C] () -- C:\Users\Sigler\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/30 10:33:26 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2008/04/30 09:31:12 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008/04/29 05:56:34 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/04/29 05:56:34 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/04/12 07:41:20 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008/04/12 07:30:20 | 000,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2008/03/28 19:41:32 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/03/11 05:37:06 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/03/11 05:37:05 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/03/11 05:37:05 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/03/11 05:37:05 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/03/05 01:18:02 | 000,257,053 | ---- | C] () -- C:\Windows\WOLSET.EXE
[2008/02/14 14:28:07 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/13 18:16:15 | 000,157,040 | ---- | C] () -- C:\Windows\fdbpinger.exe
[2007/10/08 17:21:46 | 000,958,464 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2007/09/13 17:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 17:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 17:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 17:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2007/02/05 20:05:26 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,411,920 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,603,516 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,103,586 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[1997/07/11 00:00:00 | 000,047,104 | ---- | C] () -- C:\Windows\System32\WRKGADM.EXE
[1997/07/11 00:00:00 | 000,031,232 | ---- | C] () -- C:\Windows\System32\XLREC.DLL
[1997/07/11 00:00:00 | 000,025,600 | ---- | C] () -- C:\Windows\System32\RECNCL.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\Windows\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\Windows\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 95 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >






OTL Extras logfile created on: 3/30/2011 9:20:12 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Sigler\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 123.47 Gb Free Space | 66.80% Space Free | Partition Type: NTFS
Drive E: | 1.46 Gb Total Space | 1.31 Gb Free Space | 89.47% Space Free | Partition Type: NTFS

Computer Name: SIGLER-PC | User Name: Sigler | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.txt [@ = txtfile] -- C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe (Just Great Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2732826977-1390623016-2335831479-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02B4BDF7-7BA3-445F-96A1-EEED24A3FE45}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{17147F03-A454-4802-A2B1-9E5FD3934898}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{1A6BDC8F-7990-477F-A648-41C50C5F44CC}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{3441873A-DD29-4FB5-8FBA-132B5838BBDF}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{36A0D187-A60E-4F23-9A06-013139230ACD}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{4ED12807-EB5A-499F-840F-47B07F63F08A}" = lport=139 | protocol=6 | dir=in | app=system |
"{4EE42C8C-272F-4221-B36D-9357356D757E}" = rport=445 | protocol=6 | dir=out | app=system |
"{4FDA1A39-D5AB-40B5-B486-326F28B335F6}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{5F4BF441-3F54-44FC-B5D5-A16B2901024F}" = rport=138 | protocol=17 | dir=out | app=system |
"{7BD7251F-170B-44A7-BB76-E15E1A3F33B3}" = lport=445 | protocol=6 | dir=in | app=system |
"{7BE1C090-A7A1-4BBE-9721-7179239F8265}" = rport=139 | protocol=6 | dir=out | app=system |
"{84689B61-FBEF-4F7E-99FD-789D1BEC9E43}" = lport=138 | protocol=17 | dir=in | app=system |
"{9C0B2F5B-9229-4B71-A71D-001BFE9126DF}" = rport=137 | protocol=17 | dir=out | app=system |
"{A2749FCF-14B6-4BC4-94C0-8302579A883B}" = lport=137 | protocol=17 | dir=in | app=system |
"{A707933A-D511-4FBF-A801-38805AEFDC4D}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E7236ED8-0FB4-4611-B550-DB11D0CB3190}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{EAE546D7-0836-419B-A785-B4BD48E46C47}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{EB497035-F80C-4C58-9156-55113BE1F1D9}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0529E176-3EB5-482C-A0BA-9F1F73E8AC75}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{0CCA9015-CD00-46FA-AAAA-00A6A920C84A}" = protocol=6 | dir=in | app=c:\program files\celeris\virtual pool 3 dl\vp3.exe |
"{23CFF59D-1807-4B55-8341-6339822438B7}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{38585355-3C13-4674-A991-BE905FA5510F}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{41B41384-08E1-4485-A984-F88BF57E4647}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{50C636E9-3CD5-46E6-94BE-00F04A796E6A}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{5C420753-640D-4112-843C-EE0FB59D6C7F}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{A6608E3C-D88F-4EAC-9681-65FDB5D789C1}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{BF632AA4-BBA4-4057-808D-96BA191C3929}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{DC7A9DD5-A6FB-4317-AF8F-8C2D2C8DFBFE}" = protocol=17 | dir=in | app=c:\program files\celeris\virtual pool 3 dl\vp3.exe |
"{E3CE989D-B2A7-4473-BAE0-76768C2A58D0}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{E42C3C3B-AF85-4B24-BA2D-0CBBBD1BE9BE}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{EFAB284C-7A4A-40F2-A968-A2848DDB67F5}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{F023B19A-70ED-4E8E-87DA-8E07C024F116}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{F2736D97-D72A-432C-BDDE-0B2F57CBE53B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{F746A888-0D3A-472E-9F33-1C970ADA408D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F94E7E88-504A-459A-97C6-4613E9702DBC}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{FCE6D84B-8ABF-4D7B-B26C-ECC89C1C7227}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"TCP Query User{21973093-607E-4D87-825F-8EC3E1A121D5}C:\program files\microsoft games\links 2001\linksmmi.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\links 2001\linksmmi.exe |
"TCP Query User{3DA7C9B5-44EB-434E-A916-ACA1B5E14EDA}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{4574E6AF-F4D0-4020-9FF2-2E21E10CEBFC}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{53195138-049F-4B44-8AAF-1AAB1CD90974}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{7F0B6014-3A54-45E3-BF90-1819C178C9B8}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{821EBC7B-18C1-49CD-840C-CA3C40F64F75}C:\program files\quicktime\quicktimeplayer.exe" = protocol=6 | dir=in | app=c:\program files\quicktime\quicktimeplayer.exe |
"TCP Query User{833D70F8-DB90-4387-9F63-831800228194}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{8753ED85-9371-4128-B9B4-4A9B5EFC1D6E}C:\program files\winamp\winamp.exe" = protocol=6 | dir=in | app=c:\program files\winamp\winamp.exe |
"TCP Query User{958989A1-760A-4DFD-9B05-BA6924D2F08E}C:\program files\microsoft games\links 2001\linksmmi.exe" = protocol=6 | dir=in | app=c:\program files\microsoft games\links 2001\linksmmi.exe |
"TCP Query User{95A7EF4E-43C4-414D-AE5D-88F8AE254837}C:\users\sigler\appdata\local\google\chrome\application\chrome.exe" = protocol=6 | dir=in | app=c:\users\sigler\appdata\local\google\chrome\application\chrome.exe |
"TCP Query User{A98428D8-A360-45FC-BE03-32E9B9309F13}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{BEF4E5B4-6132-45F3-9584-4B40715E083D}D:\setup.exe" = protocol=6 | dir=in | app=d:\setup.exe |
"TCP Query User{BFC79F7B-3B1D-4CC0-A9FB-928C1042C62B}C:\users\sigler\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=6 | dir=in | app=c:\users\sigler\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
"UDP Query User{0FA43648-5FC8-435A-BD87-5282B7F099AA}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{1DF2E6F5-C328-40BC-88B7-35901D3177CC}D:\setup.exe" = protocol=17 | dir=in | app=d:\setup.exe |
"UDP Query User{277B6E4B-F9D7-4827-B87C-420D76FD077D}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{4DB4ADD6-E3A8-4E8C-8E32-5838E8D8F8D6}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{72B5FE42-6422-48A6-BED2-C09206303C5B}C:\program files\quicktime\quicktimeplayer.exe" = protocol=17 | dir=in | app=c:\program files\quicktime\quicktimeplayer.exe |
"UDP Query User{82A98ACB-3116-484D-BC79-2BBA7636112A}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{8EFC8AF2-1436-416C-A3E8-DE6F6A63F204}C:\users\sigler\appdata\local\google\chrome\application\chrome.exe" = protocol=17 | dir=in | app=c:\users\sigler\appdata\local\google\chrome\application\chrome.exe |
"UDP Query User{9622A0A7-84FE-45ED-800C-CDA83AE75950}C:\program files\microsoft games\links 2001\linksmmi.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\links 2001\linksmmi.exe |
"UDP Query User{B82EC779-8DB4-4916-BA70-D843ADA7B2E6}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{C8AB3B57-19B4-41C6-82ED-302CBB013AF4}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{E4A4DD59-87F0-42D6-98AE-8E66547345BB}C:\program files\winamp\winamp.exe" = protocol=17 | dir=in | app=c:\program files\winamp\winamp.exe |
"UDP Query User{F3FA20EE-9869-491E-9962-F4BFB0443580}C:\users\sigler\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=17 | dir=in | app=c:\users\sigler\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
"UDP Query User{FA91523C-87C2-47BD-A993-4795CBFEDA91}C:\program files\microsoft games\links 2001\linksmmi.exe" = protocol=17 | dir=in | app=c:\program files\microsoft games\links 2001\linksmmi.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{05AB04BD-B62E-4A98-9DA0-9650699CAF8E}" = Oxigen
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{63A6E9A9-A190-46D4-9430-2DB28654AFD8}" = Norton 360
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{7B4873B0-71FF-4BAA-8072-1DEE154C54E4}" = Virtual Pool 3 DL
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{9413C04B-F66A-48F6-8276-0D0ACF0E41B7}" = MSA20XX Device Manager
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A276502A-8979-44FB-8090-90CF72F22ABC}" = AVG 2011
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A945BD16-4774-4A1F-96A7-118BEC004881}" = mCorev32.ism_new
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E35AF511-B618-4D02-B559-0F2147341D3B}" = AVG 2011
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F32ED8B1-2442-4B0E-8DEC-3F3BFC1C2B7F}" = mCPlug
"{F8722041-B63A-47FB-82A8-5F0977E1CF45}" = TWC Customer Controls
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG" = AVG 2011
"CCleaner" = CCleaner
"ChampSpades" = Championship Spades All-Stars 7.40
"DS Clock_is1" = DS Clock
"EditPad Lite" = Just Great Software EditPad Lite 6.4.1
"FileHippo.com" = FileHippo.com Update Checker
"Filzip 3.0.6.93_is1" = Filzip 3.06
"HDMI" = Intel® Graphics Media Accelerator Driver
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"IrfanView" = IrfanView (remove only)
"Links 2001 2.0" = Microsoft Links 2001
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"Office8.0" = Microsoft Office 97, Professional Edition
"PopMan-CH-Software_is1" = PopMan 1.3
"ProInst" = Intel® PROSet/Wireless Software
"Quake2UninstallKey" = Quake II
"SpywareBlaster_is1" = SpywareBlaster 4.4
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Veetle TV" = Veetle TV 0.9.18
"vShare" = vShare Plugin
"Winamp" = Winamp
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 30 March 2011 - 09:42 AM

johnsig,

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
    [2011/03/27 11:50:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\{C2C21D52-34A0-4525-AA2E-8855308D98F1}
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - File not found
    [2011/03/26 07:41:49 | 000,000,000 | ---D | C] -- C:\Users\Sigler\AppData\Roaming\OfferBox
    [2011/03/26 16:34:46 | 000,001,516 | -HS- | M] () -- C:\ProgramData\yrrcy352tp0qhx4l04375347
    [2011/03/01 14:48:31 | 000,430,185 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110325-111042.backup
    [2011/03/26 16:34:46 | 000,001,516 | -HS- | C] () -- C:\ProgramData\yrrcy352tp0qhx4l04375347
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues (if any) are you still experiencing?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 March 2011 - 11:17 AM

Here is log from OTL and Malwarebytes. Malwarbytes did not find anything.

I am still unable to boot in normal modes and new webpages are self opening under the Bleeping Computer Page. So far only advertising sites.

Appreciate all you are doing.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service CLTNetCnService stopped successfully!
Service CLTNetCnService deleted successfully!
C:\Windows\System32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\{C2C21D52-34A0-4525-AA2E-8855308D98F1}\chrome\content folder moved successfully.
C:\Windows\System32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\{C2C21D52-34A0-4525-AA2E-8855308D98F1}\chrome folder moved successfully.
C:\Windows\System32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\{C2C21D52-34A0-4525-AA2E-8855308D98F1} folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL deleted successfully.
C:\Users\Sigler\AppData\Roaming\OfferBox folder moved successfully.
C:\ProgramData\yrrcy352tp0qhx4l04375347 moved successfully.
C:\Windows\System32\drivers\etc\hosts.20110325-111042.backup moved successfully.
File C:\ProgramData\yrrcy352tp0qhx4l04375347 not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Sigler\Downloads\cmd.bat deleted successfully.
C:\Users\Sigler\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Sigler
->Temp folder emptied: 264704 bytes
->Temporary Internet Files folder emptied: 2126855 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Sigler
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03302011_115724






Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6217

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019

3/30/2011 12:07:33 PM
mbam-log-2011-03-30 (12-07-33).txt

Scan type: Quick scan
Objects scanned: 147915
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 30 March 2011 - 11:19 AM

Remind me again what happens when you attempt to boot in Normal Mode?

Do you connect via Wireless router?

Edited by SweetTech, 30 March 2011 - 11:19 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 March 2011 - 01:17 PM

Here is the description:

At this point, if I try to start Windows normally it boots up to my desktop with a Form titled System Properties superimposed which can be easily closed. After about 5 seconds a blue screen with white printing appears for an instant (too brief to read) and the computer reboots to the point where I can select bootup in normal mode or one of 3 safe modes. If I select normal mode the exact same procedure is repeated so my only choice is safe mode. The computer boots to safe mode normally except that same form appears (never happened before today).

Yes, connecting via wireless network.

Any way to freeze the screen when the blue screen pops up so I can read it?

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 30 March 2011 - 01:20 PM

Yes, connecting via wireless network.

Are there any other computers that connect to this router? If so, are they experiencing any of the same issues with redirects?


Any way to freeze the screen when the blue screen pops up so I can read it?

Yes.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 March 2011 - 02:07 PM

My desktop is connected to the same network and has similar redirect issues but no sign of virus activity

Here is Blue Screen text following the word steps: the beginning is the same as your sample screen except no error message appears

Begin Blue Screen

Check to be sure you have adequate disk space. If a driver is
identified in the stop message, disable the driver or check
with the manufacturer for driver updates. Try changing video
adapters

Check with your hardware vendor for any BIOS updates. Disable
BIOS memory options such as caching or shadowing. If you need
to use safe mode to remove or disable components, restart your
computer, press F8 to select Advanced Startup Options, and then
select safe mode.

Technical Information:

*** STOP: 0x0000008E (0xC0000005,0x8207C157,0x965C191C,0x00000000)


Collecting data for crash dump ...
Initializing disk for crash dump ...
Physical memory dump complete.
Contact your system admin or technical support group for further assistance.

End Blue Screen

I don't know how to get rid of the screen now. Is it safe to power down?

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:36 AM

Posted 30 March 2011 - 02:09 PM

I don't know how to get rid of the screen now. Is it safe to power down?

Yes.

I need to look into that BSOD.

But I'm going to ask that you reset your router to see if that stops the redirects:

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 March 2011 - 03:45 PM

I have reset router ( I really just reinstalled it ) and I've made up a new security key instead of using the "randomly" generated one.

Now let's see if the redirects disappear.

The article that you linked to sure sounds like what has been happening.

Any advice about getting my laptop to start in normal mode? ( As you have time)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users