Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with rootkit


  • This topic is locked This topic is locked
15 replies to this topic

#1 Bo1965

Bo1965

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 27 July 2011 - 07:51 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic411053.html ~ OB

Hello and thank you in advance. Below is my MBR post from yesterday. I was instructed to post it along with attaching my DDS and Attach DDS.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: EVGA
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
Press ENTER to exit...



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: EVGA
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 178):
0x02808000 \SystemRoot\system32\ntoskrnl.exe
0x02DF1000 \SystemRoot\system32\hal.dll
0x00BAE000 \SystemRoot\system32\kdcom.dll
0x00C8F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CDE000 \SystemRoot\system32\PSHED.dll
0x00CF2000 \SystemRoot\system32\CLFS.SYS
0x00E98000 \SystemRoot\system32\CI.dll
0x00F58000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00E00000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E0F000 \SystemRoot\system32\drivers\ACPI.sys
0x00E66000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E6F000 \SystemRoot\system32\drivers\msisadrv.sys
0x00D50000 \SystemRoot\system32\drivers\pci.sys
0x00E79000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00D83000 \SystemRoot\System32\drivers\partmgr.sys
0x00D98000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E86000 \SystemRoot\system32\drivers\pciide.sys
0x00C5C000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00C6C000 \SystemRoot\System32\drivers\mountmgr.sys
0x00E8D000 \SystemRoot\system32\drivers\atapi.sys
0x00DAD000 \SystemRoot\system32\drivers\ataport.SYS
0x00DD7000 \SystemRoot\system32\drivers\amdxata.sys
0x0107C000 \SystemRoot\system32\drivers\fltmgr.sys
0x010C8000 \SystemRoot\system32\drivers\fileinfo.sys
0x01245000 \SystemRoot\System32\Drivers\Ntfs.sys
0x010DC000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0113A000 \SystemRoot\System32\Drivers\cng.sys
0x0121B000 \SystemRoot\System32\drivers\pcw.sys
0x0122C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x014F5000 \SystemRoot\system32\drivers\ndis.sys
0x01400000 \SystemRoot\system32\drivers\NETIO.SYS
0x01460000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01678000 \SystemRoot\System32\drivers\tcpip.sys
0x0187C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x018C6000 \SystemRoot\system32\drivers\volsnap.sys
0x01912000 \SystemRoot\System32\Drivers\spldr.sys
0x0191A000 \SystemRoot\System32\drivers\rdyboost.sys
0x01954000 \SystemRoot\System32\Drivers\mup.sys
0x01966000 \SystemRoot\System32\drivers\hwpolicy.sys
0x0196F000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x019A9000 \SystemRoot\system32\DRIVERS\disk.sys
0x019BF000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01628000 \SystemRoot\system32\drivers\cdrom.sys
0x0148B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x01652000 \SystemRoot\System32\Drivers\Null.SYS
0x0165B000 \SystemRoot\System32\Drivers\Beep.SYS
0x01662000 \SystemRoot\System32\drivers\vga.sys
0x014BC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x014E1000 \SystemRoot\System32\drivers\watchdog.sys
0x015E8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x015F1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x01236000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0x011AC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x011BD000 \SystemRoot\system32\DRIVERS\tdx.sys
0x013F3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x040AF000 \SystemRoot\system32\drivers\afd.sys
0x04138000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0417D000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x04186000 \SystemRoot\system32\DRIVERS\pacer.sys
0x041AC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x041BB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x041D6000 \SystemRoot\system32\drivers\termdd.sys
0x041EA000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x041F4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x04000000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x04051000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0405D000 \SystemRoot\system32\drivers\mssmbios.sys
0x04068000 \SystemRoot\System32\drivers\discache.sys
0x04077000 \SystemRoot\System32\Drivers\dfsc.sys
0x04095000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01000000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x01026000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F058000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FCB4000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x0FCB6000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0FDAA000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0F000000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03E25000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03E7B000 \SystemRoot\system32\drivers\HDAudBus.sys
0x03E9F000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x03F02000 \SystemRoot\system32\drivers\1394ohci.sys
0x03F40000 \SystemRoot\system32\drivers\i8042prt.sys
0x03F5E000 \SystemRoot\system32\drivers\kbdclass.sys
0x03F6D000 \SystemRoot\system32\drivers\wmiacpi.sys
0x03F76000 \SystemRoot\system32\drivers\CompositeBus.sys
0x03F86000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03F9C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03FC0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03FCC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03E00000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0F011000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0F032000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FDF0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03E1B000 \SystemRoot\system32\drivers\swenum.sys
0x04803000 \SystemRoot\system32\drivers\ks.sys
0x04846000 \SystemRoot\system32\drivers\umbus.sys
0x04858000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x048B2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x048C7000 \SystemRoot\system32\drivers\HdAudio.sys
0x04923000 \SystemRoot\system32\drivers\portcls.sys
0x04960000 \SystemRoot\system32\drivers\drmk.sys
0x04982000 \SystemRoot\system32\drivers\ksthunk.sys
0x04988000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04996000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x049A2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x049AB000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00030000 \SystemRoot\System32\win32k.sys
0x049BE000 \SystemRoot\System32\drivers\Dxapi.sys
0x049CA000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00520000 \SystemRoot\System32\TSDDD.dll
0x006C0000 \SystemRoot\System32\cdd.dll
0x049D8000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x049E6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0F04C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04800000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x019EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x01600000 \SystemRoot\system32\drivers\luafv.sys
0x0103C000 \SystemRoot\system32\drivers\WudfPf.sys
0x0105D000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x011DF000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04C74000 \SystemRoot\system32\drivers\HTTP.sys
0x04D3D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04D5B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04D73000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04DA0000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04C00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04C24000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x052C3000 \SystemRoot\system32\drivers\peauth.sys
0x05369000 \SystemRoot\System32\Drivers\secdrv.SYS
0x05374000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x053A5000 \SystemRoot\System32\drivers\tcpipreg.sys
0x05200000 \SystemRoot\System32\DRIVERS\srv2.sys
0x068AA000 \SystemRoot\System32\DRIVERS\srv.sys
0x06942000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x00810000 \SystemRoot\System32\ATMFD.DLL
0x069C8000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77C90000 \Windows\System32\ntdll.dll
0x482E0000 \Windows\System32\smss.exe
0xFFFB0000 \Windows\System32\apisetschema.dll
0xFF8E0000 \Windows\System32\autochk.exe
0x77E60000 \Windows\System32\normaliz.dll
0x77B30000 \Windows\System32\wininet.dll
0xFFEC0000 \Windows\System32\advapi32.dll
0xFFEA0000 \Windows\System32\sechost.dll
0x779E0000 \Windows\System32\urlmon.dll
0xFFE90000 \Windows\System32\nsi.dll
0xFFDC0000 \Windows\System32\usp10.dll
0xFFD20000 \Windows\System32\clbcatq.dll
0xFFC40000 \Windows\System32\oleaut32.dll
0xFFC20000 \Windows\System32\imagehlp.dll
0xFFBB0000 \Windows\System32\gdi32.dll
0xFFB60000 \Windows\System32\ws2_32.dll
0xFFAC0000 \Windows\System32\msvcrt.dll
0xFFAB0000 \Windows\System32\lpk.dll
0xFFA80000 \Windows\System32\imm32.dll
0xFECF0000 \Windows\System32\shell32.dll
0xFEC50000 \Windows\System32\comdlg32.dll
0x77E50000 \Windows\System32\psapi.dll
0x778E0000 \Windows\System32\user32.dll
0x777C0000 \Windows\System32\kernel32.dll
0xFEBD0000 \Windows\System32\difxapi.dll
0xFEB70000 \Windows\System32\Wldap32.dll
0xFEA40000 \Windows\System32\rpcrt4.dll
0xFE830000 \Windows\System32\ole32.dll
0xFE650000 \Windows\System32\setupapi.dll
0x775B0000 \Windows\System32\iertutil.dll
0xFE540000 \Windows\System32\msctf.dll
0xFE4C0000 \Windows\System32\shlwapi.dll
0xFE4A0000 \Windows\System32\devobj.dll
0xFE460000 \Windows\System32\cfgmgr32.dll
0xFE3C0000 \Windows\System32\comctl32.dll
0xFE350000 \Windows\System32\KernelBase.dll
0xFE310000 \Windows\System32\wintrust.dll
0xFE1A0000 \Windows\System32\crypt32.dll
0xFE190000 \Windows\System32\msasn1.dll

Processes (total 55):
0 System Idle Process
4 System
280 C:\Windows\System32\smss.exe
360 csrss.exe
420 C:\Windows\System32\wininit.exe
448 csrss.exe
484 C:\Windows\System32\services.exe
504 C:\Windows\System32\lsass.exe
512 C:\Windows\System32\lsm.exe
628 C:\Windows\System32\winlogon.exe
656 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\nvvsvc.exe
760 C:\Windows\System32\svchost.exe
824 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
896 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\svchost.exe
556 C:\Windows\System32\svchost.exe
1056 C:\Windows\System32\svchost.exe
1180 C:\Windows\System32\spoolsv.exe
1208 C:\Windows\System32\svchost.exe
1316 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1352 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
1484 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1496 C:\Windows\System32\nvvsvc.exe
1652 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
1856 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
1908 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
1940 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1536 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
684 C:\Windows\System32\SearchIndexer.exe
2136 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2212 C:\Windows\System32\svchost.exe
2388 C:\Windows\System32\dwm.exe
2408 C:\Windows\explorer.exe
2488 C:\Windows\System32\taskhost.exe
2644 C:\Program Files\Microsoft Security Client\msseces.exe
2768 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2776 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
2868 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2876 C:\Program Files (x86)\QuickTime\qttask.exe
2932 C:\Windows\System32\svchost.exe
1660 C:\Program Files\Windows Media Player\wmpnetwk.exe
2276 WmiPrvSE.exe
1572 C:\Windows\System32\svchost.exe
3436 dllhost.exe
3560 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3612 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3820 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_ActiveX.exe
1532 C:\Windows\System32\svchost.exe
3692 <unknown>
2192 C:\Windows\System32\audiodg.exe
496 C:\Users\Bo's\Desktop\MBRCheck.exe
3324 C:\Windows\System32\conhost.exe
3836 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1002FAEX-00Z3A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Attached Files


Edited by Orange Blossom, 05 August 2011 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 AM

Posted 06 August 2011 - 07:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/411635 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 07 August 2011 - 01:25 AM

My computer downloads when I am not even near it. Sometimes i will turn my computer on and step away from it. After about 10 minutes, my computer starts downloading and the processor starts running even before I have signed into desktop. I used to run SAS and it would detect anywhere from 5 to 30 Malware. Then I would run SAS imediately a second time and it would detect anywhere from 5 to 15 malware. I could do this three and four times and get the same result. Something strange though, SAS updated its software and now when I run SAS, it detects nothing. I know the problem is not fixed however SAS is finding zero malware. Also, my registry items have trippled in the past week as well. In the "Am I infected" forum, Boopme identified that I had a security issue in my MBR and that it needed to be rewritten. I posted the MBR in my original post below. Also, I am attaching a fresh run of DDS and DDS ATTACH. Thank you in advance for looking into this issue.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 07 August 2011 - 09:32 AM

Hello Bo1965,

The logs seem clean and everything looks good.:thumbup2:

The files SAS found were all tracking cookies, they arrive at your computer when you are surfing on internet.

Downloading without your presence is not by itself a malware issue. Any software (Windows, security software, etc.) Configured to automatically update might download at startup or later run a scheduled update.

Is there any question?

Edited by farbar, 07 August 2011 - 03:41 PM.
grammer


#5 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 07 August 2011 - 03:05 PM

Just Curios,

Good afternoon and thank you for your time with this. I ran a fresh MBR check and posted it below for review. If it is clean then I guess all is good then. Just to note, I do not have anything scheduled to download in the day...only in the middle of the night. When I turn on my computer and wait to log on for about five or ten minutes, it starts acting like it is downloading. It never used to do that until about 5 months ago. Also, whenever I go to the internet, it also starts acting like it is downloading. If you dont see anything in the MBR check below, I wont worry too much about it then. If it continues, I can reformat...I was only going to do that if all other options were covered though.



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: EVGA
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer:
System Product Name:
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 179):
0x02A5A000 \SystemRoot\system32\ntoskrnl.exe
0x02A11000 \SystemRoot\system32\hal.dll
0x00BD3000 \SystemRoot\system32\kdcom.dll
0x00C75000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CC4000 \SystemRoot\system32\PSHED.dll
0x00CD8000 \SystemRoot\system32\CLFS.SYS
0x00D36000 \SystemRoot\system32\CI.dll
0x00E8C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F30000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F3F000 \SystemRoot\system32\drivers\ACPI.sys
0x00F96000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00F9F000 \SystemRoot\system32\drivers\msisadrv.sys
0x00FA9000 \SystemRoot\system32\drivers\pci.sys
0x00FDC000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FE9000 \SystemRoot\System32\drivers\partmgr.sys
0x00E00000 \SystemRoot\system32\drivers\volmgr.sys
0x00E15000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E71000 \SystemRoot\system32\drivers\pciide.sys
0x00E78000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00C00000 \SystemRoot\System32\drivers\mountmgr.sys
0x00C1A000 \SystemRoot\system32\drivers\atapi.sys
0x00C23000 \SystemRoot\system32\drivers\ataport.SYS
0x00C4D000 \SystemRoot\system32\drivers\amdxata.sys
0x01036000 \SystemRoot\system32\drivers\fltmgr.sys
0x01082000 \SystemRoot\system32\drivers\fileinfo.sys
0x01211000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01096000 \SystemRoot\System32\Drivers\msrpc.sys
0x013B4000 \SystemRoot\System32\Drivers\ksecdd.sys
0x010F4000 \SystemRoot\System32\Drivers\cng.sys
0x013CF000 \SystemRoot\System32\drivers\pcw.sys
0x013E0000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01497000 \SystemRoot\system32\drivers\ndis.sys
0x0158A000 \SystemRoot\system32\drivers\NETIO.SYS
0x01400000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x0163E000 \SystemRoot\System32\drivers\tcpip.sys
0x01842000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0188C000 \SystemRoot\system32\drivers\volsnap.sys
0x018D8000 \SystemRoot\System32\Drivers\spldr.sys
0x018E0000 \SystemRoot\System32\drivers\rdyboost.sys
0x0191A000 \SystemRoot\System32\Drivers\mup.sys
0x0192C000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01935000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0196F000 \SystemRoot\system32\DRIVERS\disk.sys
0x01985000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01600000 \SystemRoot\system32\drivers\cdrom.sys
0x0142B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x0162A000 \SystemRoot\System32\Drivers\Null.SYS
0x01633000 \SystemRoot\System32\Drivers\Beep.SYS
0x019EB000 \SystemRoot\System32\drivers\vga.sys
0x0145C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x01481000 \SystemRoot\System32\drivers\watchdog.sys
0x015EA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x015F3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x013EA000 \SystemRoot\system32\drivers\rdprefmp.sys
0x013F3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x01200000 \SystemRoot\System32\Drivers\Npfs.SYS
0x01166000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01188000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02CE1000 \SystemRoot\system32\drivers\afd.sys
0x02D6A000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02DAF000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02DB8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02DDE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02C00000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02C1B000 \SystemRoot\system32\drivers\termdd.sys
0x02C2F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02C80000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02C8C000 \SystemRoot\system32\drivers\mssmbios.sys
0x02C97000 \SystemRoot\System32\drivers\discache.sys
0x02CA6000 \SystemRoot\System32\Drivers\dfsc.sys
0x02CC4000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x01195000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x011BB000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0F005000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x0FC61000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x0FC63000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0FD57000 \SystemRoot\System32\drivers\dxgmms1.sys
0x0FD9D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x040E7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x0413D000 \SystemRoot\system32\drivers\HDAudBus.sys
0x04161000 \SystemRoot\system32\DRIVERS\yk62x64.sys
0x04000000 \SystemRoot\system32\drivers\1394ohci.sys
0x0403E000 \SystemRoot\system32\drivers\i8042prt.sys
0x0405C000 \SystemRoot\system32\drivers\kbdclass.sys
0x0406B000 \SystemRoot\system32\drivers\wmiacpi.sys
0x04074000 \SystemRoot\system32\drivers\CompositeBus.sys
0x04084000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x0409A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x040BE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x041C4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x040CA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0FDAE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0FDCF000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FDE9000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x040E5000 \SystemRoot\system32\drivers\swenum.sys
0x048BD000 \SystemRoot\system32\drivers\ks.sys
0x04900000 \SystemRoot\system32\drivers\umbus.sys
0x04912000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0496C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04981000 \SystemRoot\system32\drivers\HdAudio.sys
0x04800000 \SystemRoot\system32\drivers\portcls.sys
0x0483D000 \SystemRoot\system32\drivers\drmk.sys
0x0485F000 \SystemRoot\system32\drivers\ksthunk.sys
0x00010000 \SystemRoot\System32\win32k.sys
0x04865000 \SystemRoot\System32\drivers\Dxapi.sys
0x04871000 \SystemRoot\system32\DRIVERS\monitor.sys
0x005F0000 \SystemRoot\System32\TSDDD.dll
0x00720000 \SystemRoot\System32\cdd.dll
0x0487F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0488D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x048A6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x048AF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x049DD000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x019B5000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x049EA000 \SystemRoot\System32\Drivers\crashdmp.sys
0x048B1000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x041F3000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x02DED000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x011D1000 \SystemRoot\system32\drivers\luafv.sys
0x01000000 \SystemRoot\system32\drivers\WudfPf.sys
0x019D2000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x00C58000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04C4F000 \SystemRoot\system32\drivers\HTTP.sys
0x04D18000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04D36000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04D4E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04D7B000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04DC9000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04DED000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x05066000 \SystemRoot\system32\drivers\peauth.sys
0x0510C000 \SystemRoot\System32\Drivers\secdrv.SYS
0x05117000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x05148000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0515A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x0568C000 \SystemRoot\System32\DRIVERS\srv.sys
0x05724000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x00930000 \SystemRoot\System32\ATMFD.DLL
0x05739000 \SystemRoot\system32\drivers\spsys.sys
0x057AA000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77B50000 \Windows\System32\ntdll.dll
0x47B60000 \Windows\System32\smss.exe
0xFFE70000 \Windows\System32\apisetschema.dll
0xFF6C0000 \Windows\System32\autochk.exe
0xFFD80000 \Windows\System32\oleaut32.dll
0xFFCE0000 \Windows\System32\clbcatq.dll
0xFFCD0000 \Windows\System32\nsi.dll
0xFFC60000 \Windows\System32\gdi32.dll
0xFFC00000 \Windows\System32\Wldap32.dll
0x77A50000 \Windows\System32\user32.dll
0xFFAF0000 \Windows\System32\msctf.dll
0xFFA20000 \Windows\System32\usp10.dll
0xFFA00000 \Windows\System32\sechost.dll
0x778F0000 \Windows\System32\wininet.dll
0xFF980000 \Windows\System32\difxapi.dll
0xFF7A0000 \Windows\System32\setupapi.dll
0xFF670000 \Windows\System32\rpcrt4.dll
0xFF590000 \Windows\System32\advapi32.dll
0xFF540000 \Windows\System32\ws2_32.dll
0xFF4C0000 \Windows\System32\shlwapi.dll
0xFE730000 \Windows\System32\shell32.dll
0xFE520000 \Windows\System32\ole32.dll
0xFE500000 \Windows\System32\imagehlp.dll
0x77D20000 \Windows\System32\normaliz.dll
0x776E0000 \Windows\System32\iertutil.dll
0x775C0000 \Windows\System32\kernel32.dll
0xFE460000 \Windows\System32\msvcrt.dll
0x77D10000 \Windows\System32\psapi.dll
0xFE430000 \Windows\System32\imm32.dll
0xFE390000 \Windows\System32\comdlg32.dll
0x77470000 \Windows\System32\urlmon.dll
0xFE380000 \Windows\System32\lpk.dll
0xFE340000 \Windows\System32\wintrust.dll
0xFE300000 \Windows\System32\cfgmgr32.dll
0xFE190000 \Windows\System32\crypt32.dll
0xFE170000 \Windows\System32\devobj.dll
0xFE100000 \Windows\System32\KernelBase.dll
0xFE060000 \Windows\System32\comctl32.dll
0xFE050000 \Windows\System32\msasn1.dll
0x75870000 \Windows\SysWOW64\normaliz.dll

Processes (total 60):
0 System Idle Process
4 System
280 C:\Windows\System32\smss.exe
364 csrss.exe
424 C:\Windows\System32\wininit.exe
452 csrss.exe
484 C:\Windows\System32\services.exe
512 C:\Windows\System32\lsass.exe
520 C:\Windows\System32\lsm.exe
572 C:\Windows\System32\winlogon.exe
664 C:\Windows\System32\svchost.exe
724 C:\Windows\System32\nvvsvc.exe
768 C:\Windows\System32\svchost.exe
836 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
912 C:\Windows\System32\svchost.exe
944 C:\Windows\System32\svchost.exe
972 C:\Windows\System32\svchost.exe
348 C:\Windows\System32\audiodg.exe
876 C:\Windows\System32\svchost.exe
1100 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1112 C:\Windows\System32\nvvsvc.exe
1176 C:\Windows\System32\svchost.exe
1372 C:\Windows\System32\spoolsv.exe
1404 C:\Windows\System32\svchost.exe
1484 C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
1516 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
1836 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
1884 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
1916 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1960 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2080 C:\Windows\System32\SearchIndexer.exe
2112 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
2224 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2304 C:\Windows\System32\svchost.exe
2412 C:\Windows\System32\taskhost.exe
2496 C:\Windows\System32\dwm.exe
2652 C:\Windows\explorer.exe
2748 C:\Program Files\Microsoft Security Client\msseces.exe
2760 C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
2784 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
2880 C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
2900 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2916 C:\Program Files (x86)\QuickTime\qttask.exe
2952 C:\Windows\System32\svchost.exe
1184 C:\Program Files\Windows Media Player\wmpnetwk.exe
856 WmiPrvSE.exe
3184 C:\Windows\System32\svchost.exe
3372 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3424 C:\Program Files (x86)\Internet Explorer\iexplore.exe
3624 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_ActiveX.exe
3964 dllhost.exe
4020 C:\Windows\System32\SearchProtocolHost.exe
1416 C:\Windows\System32\sppsvc.exe
2268 WmiPrvSE.exe
1272 C:\Windows\servicing\TrustedInstaller.exe
3464 C:\Windows\System32\SearchFilterHost.exe
2212 C:\Users\Bo's\Desktop\MBRCheck.exe
2408 C:\Windows\System32\conhost.exe
1028 C:\Windows\System32\dllhost.exe
3860 C:\Windows\System32\wbem\WMIADAP.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1002FAEX-00Z3A0, Rev: 05.01D05

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 07 August 2011 - 03:47 PM

Hi,

The log is as good as the previous one. None of the logs indicate any malware activity.

Sure your security product is set to be updated automatically isn't it?

Also when we go to internet and click a link it downloads something (cookies, the page we are viewing, images, etc.) to the internet temporary folder.

To make sure you can do the following scan:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats and the option Scan archives are checked.
  • Now click on Advanced Settings and select the following:
  • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

#7 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 07 August 2011 - 07:26 PM

I ran ESET and it found these two threats:

C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Users\Bo's\Downloads\Miro_Installer.exe Win32/Toolbar.Zugo application deleted - quarantined

This may have been what was running.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 08 August 2011 - 04:55 AM

Could you please first update Malwarebytes and then run a full scan and post the result.

#9 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 August 2011 - 02:21 PM

Below is the freshly updated Malware Bytes results:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7412

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/8/2011 13:15:50
mbam-log-2011-08-08 (13-15-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 274206
Time elapsed: 14 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 08 August 2011 - 02:25 PM

That one looks good. :thumbup2:

I would like to have one more check and remove the (harmless ?) leftover from what ESET found.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste OTL.txt and attacht Extra.txt to your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


#11 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 August 2011 - 02:51 PM

Thank you FARBAR for your assistance with this. Below are my outputs to OTL:

OTL

OTL logfile created on: 8/8/2011 13:47:22 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Bo's\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.99 Gb Total Physical Memory | 6.10 Gb Available Physical Memory | 76.37% Memory free
15.98 Gb Paging File | 13.99 Gb Available in Paging File | 87.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 835.99 Gb Free Space | 89.76% Space Free | Partition Type: NTFS
Drive D: | 559.50 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOS-PC | User Name: Bo's | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/08 13:45:59 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Bo's\Desktop\OTL.exe
PRC - [2011/07/07 08:58:43 | 000,240,288 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10t_ActiveX.exe
PRC - [2011/04/22 06:21:10 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2011/04/22 06:21:10 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2011/01/07 19:48:56 | 000,378,984 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (SafeList) ==========

MOD - [2011/08/08 13:45:59 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Bo's\Desktop\OTL.exe
MOD - [2010/11/20 06:19:48 | 002,341,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msi.dll
MOD - [2010/11/20 05:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
MOD - [2009/07/13 19:16:14 | 000,040,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc_os.dll
MOD - [2009/07/13 19:15:44 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msiltcfg.dll
MOD - [2009/07/13 19:10:22 | 000,002,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\sfc.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/08/03 17:21:50 | 000,146,816 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/11/11 15:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/11/11 15:36:38 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/04/22 06:21:10 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2011/01/07 19:48:56 | 000,378,984 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/03/11 00:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 00:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 07:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 05:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/10/24 22:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 14:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 14:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2011/05/11 10:20:22 | 000,034,560 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWow64\drivers\Normandy.sys -- (Normandy)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 48 D0 FE A2 DC 52 CC 01 [binary data]
IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.foxnews.com
IE - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: MapShare-status@tomtom.com:1.7.1
FF - prefs.js..extensions.enabledItems: baseTheme@tomtom.com:1.0.2

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)


[2011/06/24 10:47:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bo's\AppData\Roaming\Mozilla\Extensions
[2011/06/24 10:47:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bo's\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2011/06/24 10:48:51 | 000,000,000 | ---D | M] (Map status indicator) -- C:\PROGRAM FILES (X86)\TOMTOM HOME 2\XUL\EXTENSIONS\MAPSHARE-STATUS@TOMTOM.COM

O1 HOSTS File: ([2009/06/10 15:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-2527661366-3378738481-1828229258-1000..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/08 13:45:59 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\Bo's\Desktop\OTL.exe
[2011/08/07 17:52:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011/07/31 18:18:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/31 18:17:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/07/31 18:17:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2011/07/31 14:02:28 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\SUPERAntiSpyware.com
[2011/07/31 14:02:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/07/31 14:02:26 | 000,000,000 | ---D | C] -- C:\ProgramData\!SASCORE
[2011/07/31 14:02:24 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/07/27 13:05:09 | 000,607,017 | R--- | C] (Swearware) -- C:\Users\Bo's\Desktop\dds.scr
[2011/07/21 22:56:54 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\PCF-VLC
[2011/07/21 13:11:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Search Toolbar
[2011/07/21 13:11:04 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\Participatory Culture Foundation
[2011/07/21 13:11:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GetMiro Toolbar
[2011/07/21 13:10:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Miro
[2011/07/21 13:10:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Participatory Culture Foundation
[2011/07/21 12:45:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TVAnts
[2011/07/21 12:44:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TVAnts
[2011/07/20 23:40:55 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StreamTorrent 1.0
[2011/07/20 23:40:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StreamTorrent 1.0
[2011/07/20 23:40:55 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\StreamTorrent
[2011/07/20 22:58:08 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Local\PackageAware
[2011/07/20 22:35:25 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Satellite TV
[2011/07/20 22:35:24 | 000,000,000 | ---D | C] -- C:\ProgramData\SLGlobal
[2011/07/20 22:35:24 | 000,000,000 | ---D | C] -- C:\ProgramData\RBS Valve
[2011/07/20 22:35:24 | 000,000,000 | ---D | C] -- C:\Users\Bo's\AppData\Roaming\PC Satellite TV
[2011/07/20 22:35:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Satellite TV
[2011/07/20 22:35:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Satellite TV
[2011/07/12 19:17:54 | 000,421,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2011/07/12 19:17:53 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2011/07/12 19:17:53 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2011/07/12 19:17:53 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2011/07/12 19:17:53 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2011/07/12 19:17:53 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2011/07/12 19:17:52 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2011/07/12 19:17:52 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2011/07/12 19:17:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2011/07/12 19:17:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2011/07/12 19:17:52 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2011/07/12 19:17:52 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2011/07/12 19:17:50 | 001,162,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2011/07/12 19:17:50 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2011/07/12 19:17:50 | 000,338,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2011/07/12 19:17:50 | 000,214,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2011/07/12 19:17:49 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2011/07/12 19:17:49 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2011/07/12 19:17:49 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2011/07/12 19:17:49 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2011/07/12 19:17:49 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2011/07/12 19:17:49 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2011/07/12 19:17:49 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2011/07/12 19:17:48 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2011/07/09 20:40:43 | 000,000,000 | ---D | C] -- C:\Users\Bo's\Documents\Bo's Messages

========== Files - Modified Within 30 Days ==========

[2011/08/08 13:45:59 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Bo's\Desktop\OTL.exe
[2011/08/08 13:09:22 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/08/08 13:09:22 | 000,015,024 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/08/08 13:06:04 | 000,729,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/08/08 13:06:04 | 000,626,040 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/08/08 13:06:04 | 000,107,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/08/08 13:00:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/08/08 13:00:00 | 2140,495,871 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/31 20:36:17 | 000,000,251 | ---- | M] () -- C:\Windows\setup.iss
[2011/07/31 18:18:01 | 000,001,284 | ---- | M] () -- C:\Users\Bo's\Desktop\Spybot - Search & Destroy (for blind users).lnk
[2011/07/31 18:18:01 | 000,001,262 | ---- | M] () -- C:\Users\Bo's\Desktop\Spybot - Search & Destroy.lnk
[2011/07/31 14:02:26 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/07/27 13:27:16 | 000,000,000 | ---- | M] () -- C:\Users\Bo's\defogger_reenable
[2011/07/27 13:05:10 | 000,607,017 | R--- | M] (Swearware) -- C:\Users\Bo's\Desktop\dds.scr
[2011/07/26 23:54:03 | 000,050,477 | ---- | M] () -- C:\Users\Bo's\Desktop\Defogger.exe
[2011/07/26 13:28:21 | 000,080,384 | ---- | M] () -- C:\Users\Bo's\Desktop\MBRCheck.exe
[2011/07/25 22:49:25 | 000,089,088 | ---- | M] () -- C:\Users\Bo's\Desktop\mbr.exe
[2011/07/25 21:38:57 | 000,879,028 | ---- | M] () -- C:\Users\Bo's\Desktop\SecurityCheck.exe
[2011/07/25 19:16:03 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/21 13:10:58 | 000,002,182 | ---- | M] () -- C:\Users\Public\Desktop\Miro.lnk
[2011/07/21 12:44:40 | 003,005,440 | ---- | M] () -- C:\Users\Bo's\Desktop\TvantsSetup.exe
[2011/07/20 23:40:55 | 000,001,121 | ---- | M] () -- C:\Users\Bo's\Desktop\StreamTorrent 1.0.lnk
[2011/07/20 22:35:21 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\PC Satellite TV.lnk
[2011/07/13 13:38:30 | 000,416,000 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2011/07/31 18:18:01 | 000,001,284 | ---- | C] () -- C:\Users\Bo's\Desktop\Spybot - Search & Destroy (for blind users).lnk
[2011/07/31 18:18:01 | 000,001,262 | ---- | C] () -- C:\Users\Bo's\Desktop\Spybot - Search & Destroy.lnk
[2011/07/27 13:27:16 | 000,000,000 | ---- | C] () -- C:\Users\Bo's\defogger_reenable
[2011/07/26 23:54:03 | 000,050,477 | ---- | C] () -- C:\Users\Bo's\Desktop\Defogger.exe
[2011/07/26 13:28:21 | 000,080,384 | ---- | C] () -- C:\Users\Bo's\Desktop\MBRCheck.exe
[2011/07/25 22:49:25 | 000,089,088 | ---- | C] () -- C:\Users\Bo's\Desktop\mbr.exe
[2011/07/25 21:38:56 | 000,879,028 | ---- | C] () -- C:\Users\Bo's\Desktop\SecurityCheck.exe
[2011/07/21 13:10:58 | 000,002,182 | ---- | C] () -- C:\Users\Public\Desktop\Miro.lnk
[2011/07/21 12:44:37 | 003,005,440 | ---- | C] () -- C:\Users\Bo's\Desktop\TvantsSetup.exe
[2011/07/20 23:40:55 | 000,001,121 | ---- | C] () -- C:\Users\Bo's\Desktop\StreamTorrent 1.0.lnk
[2011/07/20 22:35:21 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\PC Satellite TV.lnk
[2011/05/09 19:13:40 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2011/04/15 12:05:22 | 000,004,096 | -H-- | C] () -- C:\Users\Bo's\AppData\Local\keyfile3.drm
[2011/01/25 14:11:28 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/11/20 14:37:13 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/13 23:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 20:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 20:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 18:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 15:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 15:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI

< End of report >



EXTRAS

OTL Extras logfile created on: 8/8/2011 13:47:22 - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Bo's\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.99 Gb Total Physical Memory | 6.10 Gb Available Physical Memory | 76.37% Memory free
15.98 Gb Paging File | 13.99 Gb Available in Paging File | 87.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 835.99 Gb Free Space | 89.76% Space Free | Partition Type: NTFS
Drive D: | 559.50 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOS-PC | User Name: Bo's | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 266.58
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 267.24
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 267.24
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{E77543EE-6FB5-4FF6-AB70-635392C8C756}" = Microsoft Security Client
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{32714287-4234-412A-877B-D33AFABFDE2B}" = EverQuest Titanium
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{61BE9696-6340-1D8C-A663-3F2EAFB89663}_is1" = PC Satellite TV
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{88038160-9BCB-47BE-A5C3-5CE2DC115509}" = Star Wars Galaxies
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ESET Online Scanner" = ESET Online Scanner v3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Miro" = Miro
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"QuickTime" = QuickTime
"StarCraft II" = StarCraft II
"StreamTorrent 1.0" = StreamTorrent 1.0
"TomTom HOME" = TomTom HOME 2.8.2.2264
"TVAnts 1.0" = TVAnts 1.0
"World of Warcraft" = World of Warcraft

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/1/2011 16:07:34 | Computer Name = Bos-PC | Source = Application Hang | ID = 1002
Description = The program explorer.exe version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: fa4 Start
Time: 01cc5086946535a7 Termination Time: 0 Application Path: C:\Windows\explorer.exe

Report
Id: dfd16901-bc79-11e0-9701-001fbc087838

Error - 8/1/2011 16:07:57 | Computer Name = Bos-PC | Source = Application Hang | ID = 1002
Description = The program explorer.exe version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 80 Start
Time: 01cc5086a6f9106f Termination Time: 0 Application Path: C:\Windows\explorer.exe

Report
Id: ee31ff3a-bc79-11e0-9701-001fbc087838

Error - 8/1/2011 21:30:16 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 8/2/2011 13:44:37 | Computer Name = Bos-PC | Source = Application Hang | ID = 1002
Description = The program SUPERAntiSpyware.exe version 4.56.0.1000 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: ba0 Start
Time: 01cc513bb809a8ea Termination Time: 2 Application Path: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Report
Id: 0bfaa536-bd2f-11e0-8c3d-001fbc087838

Error - 8/2/2011 19:58:11 | Computer Name = Bos-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.1.7601.17567 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: a80 Start
Time: 01cc51481291508c Termination Time: 0 Application Path: C:\Windows\Explorer.EXE

Report
Id: 41c27208-bd63-11e0-8a4e-001fbc087838

Error - 8/2/2011 22:32:51 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 8/4/2011 15:21:45 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 8/5/2011 22:39:53 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 8/6/2011 15:41:27 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 8/7/2011 16:23:46 | Computer Name = Bos-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

[ System Events ]
Error - 8/6/2011 12:13:21 | Computer Name = Bos-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 8/6/2011 12:13:20 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/6/2011 17:44:05 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/6/2011 17:44:16 | Computer Name = Bos-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 8/7/2011 01:50:40 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/7/2011 01:50:50 | Computer Name = Bos-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 8/7/2011 15:50:40 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/7/2011 19:42:19 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/8/2011 15:00:15 | Computer Name = Bos-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error - 8/8/2011 15:00:16 | Computer Name = Bos-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842


< End of report >

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 08 August 2011 - 03:18 PM

Well done. We are going to remove the registry and the folder the bad toolbar has left behind.

  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.
  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :otl
      O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
      :files
      C:\Program Files (x86)\Search Toolbar
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.


#13 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 August 2011 - 07:32 PM

Thank you again Farbar for your assistance. Below is the log after OTL Run Fix:

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
========== FILES ==========
C:\Program Files (x86)\Search Toolbar folder moved successfully.

OTL by OldTimer - Version 3.2.26.1 log created on 08082011_183043

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 08 August 2011 - 07:37 PM

It looks good and you are good to go. :thumbup2:

  • Please run OTL.
    • Click Clean Up button.
    • Accept any prompts.
    • This will remove OTL, and will require a reboot.
  • You may remove any log or tool we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
    • Go to Start => Right-click "Computer" and select "Properties".
    • In the left pane select "System Protection".
    • Press "Configure".
    • Select "Delete". Then press "Continue" close and "OK".
    • Select your drive (drive C) and press "Create".
      Fill in a name for the restore point and press "Create".
      After finished press "Close".

Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Happy Surfing Bo1965.:)

#15 Bo1965

Bo1965
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 August 2011 - 07:46 PM

Thank you Farbar. I will download those programs immediately.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users