Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit or MBR problem?


  • This topic is locked This topic is locked
19 replies to this topic

#1 NJPRO

NJPRO

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 11 October 2011 - 07:08 PM

Hi,

I seem to have a very unique problem. My laptop runs ok, but there are times when it pauses while I am surfing the net for 5-10 seconds. I ran malwarebytes and nothing was found. I tried to run DDS but that freezes the computer. I ran rkill and it did not find anything. I tried to run mbrfix but it froze the computer. I am able to run hijackthis, but I had to change the name of the file in order for it to run and also save the log to a different name to get it to show up. Below is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:00:05 PM, on 10/11/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Users\Unknown\Desktop\PView\PrcView.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\hijackthis\Trend Micro\HiJackThis\Test.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ZoneAlarm Security Suite Toolbar - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: ZoneAlarm Security Suite - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O3 - Toolbar: ZoneAlarm Security Suite Toolbar - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Startup: PrcView.lnk = Unknown\Desktop\PView\PrcView.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O23 - Service: Sprint Con App Svc (CASprint) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NovaCore SDK Service (NvtlService) - Unknown owner - C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\pev.3XE (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - SmithMicro Inc. - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

I was able to also run RKUnhook and the SSDT results show this:
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7601 (Service Pack 1)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlpcConnectPort, Type: Address change 0x82E772A6-->8FE4B914 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtAlpcCreatePort, Type: Address change 0x82DF6C82-->8FE4C1E2 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x82E79DB1-->8FE4B36A [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x82E5128A-->8FE44CA2 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x82E02EA6-->8FE665F2 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreatePort, Type: Address change 0x82DF37D5-->8FE4BE74 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateProcess, Type: Address change 0x82EDDEC5-->8FE604D0 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Address change 0x82EDDF10-->8FE608F8 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateSection, Type: Address change 0x82E24F75-->8FE6AC8A [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateUserProcess, Type: Address change 0x82E700FE-->8FE60D6C [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtCreateWaitablePort, Type: Address change 0x82DA613C-->8FE4BFD2 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteFile, Type: Address change 0x82D9A6B5-->8FE459DE [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x82DED987-->8FE68048 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x82DDF39E-->8FE6795E [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x82E33582-->8FE5F2B0 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x82DC7B80-->8FE3F51E [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x82D9342E-->8FE68A16 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtLoadKey2, Type: Address change 0x82D80A23-->8FE68C54 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtLoadKeyEx, Type: Address change 0x82DA3E7A-->8FE69106 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x82E4843A-->8FE6B048 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x82E33BA2-->8FE45590 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x82E13A58-->8FE629EC [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x82E5FE2D-->8FE625DA [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x82E9DDFB-->8FE69AEE [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x82E9D948-->8FE693D0 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtRequestWaitReplyPort, Type: Address change 0x82E3F96B-->8FE4AF0E [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x82E939B4-->8FE6A554 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSecureConnectPort, Type: Address change 0x82E5FE62-->8FE4B636 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSetInformationFile, Type: Address change 0x82E58802-->8FE45DEA [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSetSecurityObject, Type: Address change 0x82E036A2-->8FE6A078 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x82E50194-->8FE3EBE8 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x82E0C4A3-->8FE670B8 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtSystemDebugControl, Type: Address change 0x82E87514-->8FE615F6 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x82E5CA65-->8FE61326 [C:\Windows\system32\DRIVERS\vsdatant.sys]
ntkrnlpa.exe-->NtUnloadDriver, Type: Address change 0x82EBB297-->8FE3F970 [C:\Windows\system32\DRIVERS\vsdatant.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
----------

The Shadow SSDT shows this:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7601 (Service Pack 1)
Number of processors #2
==============================================
>Shadow
==============================================
win32k.sys-->NtUserMessageCall, Type: Address change 0x97B5B2C4-->8FE49C0E [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0x97B5BAE9-->8FE49D74 [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0x97B2CB10-->8FE49ED8 [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserRegisterUserApiHook, Type: Address change 0x97AB0123-->8FE40662 [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0x97AD42CA-->8FE476A8 [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserSendInput, Type: Address change 0x97BF0A66-->8FE4A35A [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0x97B18473-->8FE40D38 [C:\Windows\system32\DRIVERS\vsdatant.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0x97B151C5-->8FE403F6 [C:\Windows\system32\DRIVERS\vsdatant.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
---------


Any help would be greatly appreciated!


Tom

BC AdBot (Login to Remove)

 


#2 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 13 October 2011 - 09:36 PM

Can anyone help me??

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 16 October 2011 - 06:28 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 October 2011 - 11:36 AM

Hi Elise,

Thanks for helping me. I tried to run DDS but it freezes up my computer. It gets almost to the end but then the hd activity stops and I cant do anything with my computer. I can use the mouse, but nothing responds. I have to hard reset it to work. I also had someone else in the "Am I infected? What do I do?" forum try and help me. He suggested to start a topic in this forum. I did run some scans that he requested and posted the results in this post here: http://www.bleepingcomputer.com/forums/topic423065.html/page__p__2437750__fromsearch__1#entry2437750

Please let me know what else I can try to run.

Thanks again,

Tom

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 16 October 2011 - 12:32 PM

Hi, in that case, try this:

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 October 2011 - 11:34 PM

Elise,

Thanks again for your help. Below is the OLT.TXT results:

OTL logfile created on: 10/17/2011 12:15:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Unknown\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.34 Gb Available Physical Memory | 46.54% Memory free
3.87 Gb Paging File | 2.54 Gb Available in Paging File | 65.52% Paging File free
Paging file location(s): c:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 453.62 Gb Total Space | 8.67 Gb Free Space | 1.91% Space Free | Partition Type: NTFS
Drive F: | 1.46 Gb Total Space | 1.27 Gb Free Space | 86.52% Space Free | Partition Type: NTFS

Computer Name: UNKNOWN-PC | User Name: Unknown | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/17 00:15:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Unknown\Desktop\OTL.exe
PRC - [2011/10/03 18:51:10 | 002,846,720 | ---- | M] (LIGHTNING UK!) -- C:\Program Files\ImgBurn\ImgBurn.exe
PRC - [2011/09/29 21:42:31 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/07/12 09:35:14 | 002,413,936 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/07/12 09:33:34 | 000,071,824 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/05/30 07:39:00 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 17:29:19 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/08/24 19:25:56 | 000,575,552 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\ThpSrv.exe
PRC - [2009/08/21 09:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2009/08/21 09:29:20 | 000,476,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2009/08/05 14:04:54 | 000,738,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2009/07/28 14:00:10 | 000,460,088 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
PRC - [2008/03/15 00:48:40 | 000,335,872 | ---- | M] ( ) -- C:\Users\Unknown\Desktop\PView\PrcView.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/01 21:08:01 | 006,277,280 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/29 21:42:31 | 001,833,944 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2009/07/29 15:35:38 | 000,014,648 | ---- | M] () -- C:\Program Files\TOSHIBA\TBS\NotifyTBS.dll
MOD - [2009/07/16 15:27:48 | 000,052,536 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnZ.dll
MOD - [2009/07/16 15:27:44 | 007,263,544 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
MOD - [2009/03/12 19:08:04 | 000,049,152 | ---- | M] () -- C:\Program Files\TOSHIBA\PCDiag\NotifyPCD.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (PEVSystemStart)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/11 19:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/07/12 09:35:14 | 002,413,936 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/06/05 03:00:33 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/05/31 00:03:27 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/05/30 07:39:02 | 000,493,184 | ---- | M] (Check Point Software Technologies) [Disabled | Stopped] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2011/03/24 07:24:34 | 000,072,936 | ---- | M] (SANDBOXIE L.T.D) [Disabled | Stopped] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010/12/15 14:54:44 | 000,120,128 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2010/12/15 14:54:30 | 000,124,224 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe -- (CASprint)
SRV - [2010/01/11 14:10:52 | 000,082,944 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe -- (NvtlService)
SRV - [2009/12/24 23:56:29 | 000,095,544 | ---- | M] (Jetico, Inc.) [Disabled | Stopped] -- C:\Program Files\Jetico\BestCrypt\BCWipeSvc.exe -- (BCWipeSvc)
SRV - [2009/12/23 17:34:20 | 000,370,688 | ---- | M] (StarWind Software) [Disabled | Stopped] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2009/08/24 19:25:56 | 000,575,552 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\ThpSrv.exe -- (Thpsrv)
SRV - [2009/08/21 09:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/24 02:33:14 | 000,066,288 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Jetico\BestCrypt\BC_VE\bcveserv.exe -- (bcveServ)
SRV - [2003/04/18 19:06:26 | 000,008,192 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\srvany.exe -- (KMService)


========== Driver Services (SafeList) ==========

DRV - [2011/09/18 11:19:20 | 000,231,248 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\System32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/06/30 00:42:35 | 000,697,328 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2011/05/30 07:38:54 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/05/12 14:05:32 | 000,018,816 | ---- | M] (Sophos Group) [Kernel | System | Running] -- C:\Windows\System32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2011/05/07 17:51:28 | 000,455,256 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV - [2011/03/24 07:24:30 | 000,126,696 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Stopped] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010/12/15 14:38:22 | 000,229,376 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2010/12/15 14:38:10 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctnullport.sys -- (Nmea)
DRV - [2010/12/15 14:35:56 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2010/11/20 17:29:34 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 17:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 17:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 17:29:03 | 000,112,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - [2010/11/20 17:29:03 | 000,077,184 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV - [2010/11/20 17:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 17:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 17:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 17:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 17:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 17:29:03 | 000,025,600 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\terminpt.sys -- (terminpt)
DRV - [2010/11/20 17:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 17:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/01/29 02:18:26 | 000,191,168 | ---- | M] (Jetico, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\bcfnt.sys -- (bcfnt)
DRV - [2010/01/14 03:07:37 | 000,049,984 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bcbus.sys -- (bcbus)
DRV - [2009/12/22 09:56:49 | 000,030,528 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_tfish.sys -- (BC_TFISH)
DRV - [2009/12/22 09:56:40 | 000,029,632 | ---- | M] (Michael Oestergaard Pedersen) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_serp.sys -- (BC_SERP)
DRV - [2009/12/22 09:56:31 | 000,044,480 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_rijn.sys -- (BC_RIJN)
DRV - [2009/12/22 09:56:23 | 000,024,384 | ---- | M] (Michael Oestergaard Pedersen) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_rc6.sys -- (BC_RC6)
DRV - [2009/12/22 09:56:15 | 000,019,392 | ---- | M] (Iarsn) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_idea.sys -- (BC_IDEA)
DRV - [2009/12/22 09:56:07 | 000,019,264 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_gost.sys -- (BC_Gost)
DRV - [2009/12/22 09:55:51 | 000,029,120 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_des.sys -- (BC_DES)
DRV - [2009/12/22 09:55:42 | 000,032,064 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_cast.sys -- (BC_CAST)
DRV - [2009/12/22 09:55:34 | 000,023,744 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_bfish.sys -- (BC_BFish)
DRV - [2009/12/22 09:55:26 | 000,023,744 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_bf448.sys -- (BC_BF448)
DRV - [2009/12/22 09:55:18 | 000,023,744 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_bf128.sys -- (BC_BF128)
DRV - [2009/12/22 09:55:10 | 000,029,376 | ---- | M] (Jetico, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\bc_3des.sys -- (BC_3DES)
DRV - [2009/10/02 13:33:24 | 000,862,208 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se)
DRV - [2009/07/28 18:24:20 | 000,049,152 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2009/07/24 15:57:06 | 000,275,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2009/07/14 15:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/07/13 20:56:07 | 000,265,088 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BrSerIb.sys -- (BrSerIb) Brother MFC Serial Interface Driver(WDM)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 18:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BrUsbSIb.sys -- (BrUsbSIb) Brother MFC Serial USB Driver(WDM)
DRV - [2009/07/04 18:37:08 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdpe86.sys -- (rixdpcie)
DRV - [2009/07/02 08:50:16 | 000,047,104 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimspe86.sys -- (rimspci)
DRV - [2009/06/29 16:16:22 | 000,013,120 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\Thpevm.SYS -- (Thpevm)
DRV - [2009/06/29 10:25:24 | 000,030,272 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\thpdrv.sys -- (Thpdrv)
DRV - [2008/08/18 05:08:58 | 000,016,232 | ---- | M] (Jetico, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mhk.sys -- (mhk)
DRV - [2008/07/17 06:06:26 | 000,010,600 | ---- | M] (Jetico, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\moh.sys -- (moh)
DRV - [2006/11/19 22:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/09/28 14:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pnetmdm.sys -- (pnetmdm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 52 94 9B 4E CF 85 CC 01 [binary data]
IE - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\..\URLSearchHook: {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "ZoneAlarm Security Suite Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3015261&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Unknown\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Unknown\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011/08/07 21:59:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/29 21:42:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/05/22 02:19:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Extensions
[2011/10/10 23:58:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions
[2011/09/26 22:06:00 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2011/08/25 19:04:14 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/10/10 23:58:06 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/07/31 11:58:49 | 000,000,000 | ---D | M] (20-20 3D Viewer - IKEA) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions\2020Player_IKEA@2020Technologies.com
[2011/09/07 08:50:11 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\extensions\firefox@ghostery.com
[2011/07/31 15:56:28 | 000,000,951 | ---- | M] () -- C:\Users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\searchplugins\conduit.xml
[2011/06/10 20:40:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/10 20:40:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\UNKNOWN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\SMRJ9QJF.DEFAULT\EXTENSIONS\CANITBECHEAPER@TRAFFICBROKER.CO.UK.XPI
[2011/09/29 21:42:31 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/29 21:41:31 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Unknown\AppData\Local\Google\Chrome\Application\12.0.742.100\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Unknown\AppData\Local\Google\Chrome\Application\12.0.742.100\pdf.dll
CHR - plugin: Chrome NaCl (Disabled) = C:\Users\Unknown\AppData\Local\Google\Chrome\Application\12.0.742.100\ppGoogleNaClPluginChrome.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Users\Unknown\AppData\Local\Google\Chrome\Application\12.0.742.100\gears.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Unknown\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Users\Unknown\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.5.7_0\
CHR - Extension: Poppit = C:\Users\Unknown\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (ZoneAlarm Security Suite Toolbar) - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll (Conduit Ltd.)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Suite Toolbar) - {3ce45c4f-bfff-4988-9a3c-a75c1f491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ThpSrv] C:\Windows\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-2572382878-2847236798-4245784224-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrcView.lnk = C:\Users\Unknown\Desktop\PView\PrcView.exe ( )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8688387A-3601-4237-AA11-DB14E28A0201}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A5FD6D2C-44B9-4286-B547-1240046B0969}: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (C:\Windows\System32\acaptuser32.dll) -C:\Windows\System32\acaptuser32.dll (Adobe Systems Incorporated)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{855ea226-cd4a-11e0-8288-001e33f55663}\Shell - "" = AutoRun
O33 - MountPoints2\{855ea226-cd4a-11e0-8288-001e33f55663}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{855ea2e0-cd4a-11e0-8288-001e33f55663}\Shell - "" = AutoRun
O33 - MountPoints2\{855ea2e0-cd4a-11e0-8288-001e33f55663}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{cc0aee97-8441-11e0-b33e-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{cc0aee97-8441-11e0-b33e-806e6f6e6963}\Shell\AutoRun\command - "" = D:\reatogoMenu.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/17 00:15:09 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Unknown\Desktop\OTL.exe
[2011/10/14 22:24:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/10/14 18:57:46 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Roaming\SUPERAntiSpyware.com
[2011/10/14 18:57:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/10/14 18:57:09 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2011/10/14 18:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/10/12 23:18:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn
[2011/10/12 21:57:00 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/10/12 21:56:58 | 001,798,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/10/12 21:56:58 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/10/12 21:56:58 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/10/12 21:56:57 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/10/12 21:53:44 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2011/10/12 21:53:44 | 000,075,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2011/10/12 21:53:18 | 002,334,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/10/12 19:31:16 | 000,000,000 | ---D | C] -- C:\Users\Unknown\Desktop\SCAN TOOLS
[2011/10/11 08:38:17 | 000,094,896 | ---- | C] (Kaspersky Lab, GERT) -- C:\Windows\System32\drivers\61436751.sys
[2011/10/11 08:30:23 | 000,000,000 | ---D | C] -- C:\Users\Unknown\Desktop\log
[2011/10/11 08:29:49 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/10/11 08:29:49 | 000,065,808 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/10/11 08:20:51 | 000,018,816 | ---- | C] (Sophos Group) -- C:\Windows\System32\SAVRKBootTasks.sys
[2011/10/11 01:25:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/10/11 01:25:25 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/10/09 23:49:37 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/10/09 23:49:37 | 000,000,000 | ---D | C] -- C:\Program Files\hijackthis
[2011/10/08 22:40:04 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Local\Sprint
[2011/10/08 11:42:11 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Roaming\Sierra Wireless
[2011/10/08 11:37:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sprint
[2011/10/08 11:37:28 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra Wireless
[2011/10/08 11:37:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Sprint
[2011/10/08 11:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\Sprint
[2011/10/08 11:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PctelEapPeer Authentication
[2011/10/08 11:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\Novatel Wireless
[2011/10/06 23:14:03 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Local\{F2584923-FA37-4C25-8E06-B9FBD49545EE}
[2011/10/02 20:47:34 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/10/01 22:37:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/10/01 22:37:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/10/01 22:37:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/10/01 22:37:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/10/01 22:37:03 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/01 22:00:37 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Roaming\Spycar
[2011/10/01 21:57:20 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Local\ElevatedDiagnostics
[2011/10/01 13:52:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
[2011/10/01 13:52:15 | 000,839,680 | ---- | C] (http://www.mp3dev.org/) -- C:\Windows\System32\lameACM.acm
[2011/10/01 13:52:15 | 000,151,552 | ---- | C] (fccHandler) -- C:\Windows\System32\ac3acm.acm
[2011/10/01 13:26:53 | 000,022,872 | R--- | C] (Adobe Systems Inc.) -- C:\Windows\System32\AdobePDFUI.dll
[2011/10/01 13:21:09 | 000,112,056 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\acaptuser32.dll
[2011/10/01 09:21:33 | 000,046,928 | ---- | C] (Adobe Systems Inc) -- C:\Windows\System32\AdobePDF.dll
[2011/09/27 21:16:41 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Local\{0FF3C1E6-9BAC-4449-B801-480C67D660C4}
[2011/09/26 11:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/09/26 08:12:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ACD Systems
[2011/09/26 08:12:31 | 000,000,000 | ---D | C] -- C:\Program Files\ACD Systems
[2011/09/25 09:43:42 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Local\Microsoft Games
[2011/09/21 11:27:42 | 000,000,000 | ---D | C] -- C:\Users\Unknown\Desktop\Aircrack
[2011/09/18 11:20:27 | 000,000,000 | ---D | C] -- C:\Users\Unknown\AppData\Roaming\TrueCrypt
[2011/09/18 11:19:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt
[2011/09/18 11:19:20 | 000,231,248 | ---- | C] (TrueCrypt Foundation) -- C:\Windows\System32\drivers\truecrypt.sys
[2011/09/18 11:19:20 | 000,000,000 | ---D | C] -- C:\Program Files\TrueCrypt
[2011/09/17 10:29:31 | 000,009,472 | ---- | C] (June Fabrics Technology) -- C:\Windows\System32\drivers\pnetmdm.sys
[2011/09/17 10:29:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PdaNet for iPhone
[2011/09/17 10:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\PdaNet for iPhone

========== Files - Modified Within 30 Days ==========

[2011/10/17 00:15:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Unknown\Desktop\OTL.exe
[2011/10/16 23:50:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2572382878-2847236798-4245784224-1000UA.job
[2011/10/16 18:50:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2572382878-2847236798-4245784224-1000Core.job
[2011/10/15 09:23:44 | 000,021,280 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/15 09:23:44 | 000,021,280 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/15 09:15:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/15 09:15:17 | 2312,097,792 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/14 18:53:04 | 000,869,194 | ---- | M] () -- C:\Users\Unknown\Desktop\SecurityCheck.exe
[2011/10/12 22:11:22 | 000,416,272 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/10/12 00:45:30 | 000,007,601 | ---- | M] () -- C:\Users\Unknown\AppData\Local\Resmon.ResmonCfg
[2011/10/11 09:08:40 | 000,020,992 | ---- | M] () -- C:\Users\Unknown\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/11 08:38:17 | 000,094,896 | ---- | M] (Kaspersky Lab, GERT) -- C:\Windows\System32\drivers\61436751.sys
[2011/10/11 08:30:23 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/10/11 08:30:23 | 000,065,808 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/10/09 23:18:04 | 000,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/09 23:18:04 | 000,549,322 | ---- | M] () -- C:\Windows\System32\perfh008.dat
[2011/10/09 23:18:04 | 000,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/09 23:18:04 | 000,086,054 | ---- | M] () -- C:\Windows\System32\perfc008.dat
[2011/10/02 10:42:09 | 000,000,020 | ---- | M] () -- C:\Users\Unknown\defogger_reenable
[2011/10/02 09:02:48 | 000,151,568 | ---- | M] () -- C:\Users\Unknown\Documents\cc_20111002_090234.reg
[2011/10/01 21:08:01 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/09/27 21:13:04 | 4246,732,800 | ---- | M] () -- C:\Users\Unknown\Documents\Vault
[2011/09/26 11:15:47 | 000,679,841 | ---- | M] () -- C:\Users\Unknown\Documents\Base Cabinets.pdf
[2011/09/26 08:34:23 | 000,002,500 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2011/09/18 11:19:20 | 000,231,248 | ---- | M] (TrueCrypt Foundation) -- C:\Windows\System32\drivers\truecrypt.sys

========== Files Created - No Company Name ==========

[2011/10/14 18:53:02 | 000,869,194 | ---- | C] () -- C:\Users\Unknown\Desktop\SecurityCheck.exe
[2011/10/02 10:41:53 | 000,000,020 | ---- | C] () -- C:\Users\Unknown\defogger_reenable
[2011/10/02 09:02:38 | 000,151,568 | ---- | C] () -- C:\Users\Unknown\Documents\cc_20111002_090234.reg
[2011/10/01 22:37:39 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/10/01 22:37:39 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/10/01 22:37:39 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/10/01 22:37:39 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/10/01 13:52:16 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
[2011/10/01 13:52:15 | 000,650,752 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2011/10/01 13:52:15 | 000,243,200 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2011/10/01 13:52:15 | 000,074,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2011/10/01 13:52:15 | 000,000,414 | ---- | C] () -- C:\Windows\System32\lame_acm.xml
[2011/09/27 21:10:59 | 4246,732,800 | ---- | C] () -- C:\Users\Unknown\Documents\Vault
[2011/09/26 11:15:47 | 000,679,841 | ---- | C] () -- C:\Users\Unknown\Documents\Base Cabinets.pdf
[2011/08/23 01:24:20 | 000,007,601 | ---- | C] () -- C:\Users\Unknown\AppData\Local\Resmon.ResmonCfg
[2011/07/25 02:18:33 | 000,008,192 | ---- | C] () -- C:\Windows\System32\srvany.exe
[2011/06/30 01:48:20 | 000,020,992 | ---- | C] () -- C:\Users\Unknown\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/07 00:53:25 | 000,002,500 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2011/05/23 01:44:16 | 000,549,322 | ---- | C] () -- C:\Windows\System32\perfh008.dat
[2011/05/23 01:44:16 | 000,369,984 | ---- | C] () -- C:\Windows\System32\perfi008.dat
[2011/05/23 01:44:16 | 000,086,054 | ---- | C] () -- C:\Windows\System32\perfc008.dat
[2011/05/23 01:44:16 | 000,045,182 | ---- | C] () -- C:\Windows\System32\perfd008.dat
[2011/05/23 00:05:46 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2010/11/20 17:29:34 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2010/11/20 17:29:26 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/01/12 20:09:52 | 000,275,255 | ---- | C] () -- C:\Windows\closesec.exe
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,416,272 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,615,360 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,103,702 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 20:59:20 | 000,000,256 | ---- | C] () -- C:\Windows\System32\brmsl07a.bin
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/13 18:09:19 | 000,982,196 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2009/07/13 18:09:19 | 000,417,344 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2009/07/13 18:09:19 | 000,139,824 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009/07/13 18:09:19 | 000,097,448 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

< End of report >

---------------

Below is the Extras.txt results:

OTL Extras logfile created on: 10/17/2011 12:15:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Unknown\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.34 Gb Available Physical Memory | 46.54% Memory free
3.87 Gb Paging File | 2.54 Gb Available in Paging File | 65.52% Paging File free
Paging file location(s): c:\pagefile.sys 1024 1024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 453.62 Gb Total Space | 8.67 Gb Free Space | 1.91% Space Free | Partition Type: NTFS
Drive F: | 1.46 Gb Total Space | 1.27 Gb Free Space | 86.52% Space Free | Partition Type: NTFS

Computer Name: UNKNOWN-PC | User Name: Unknown | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2572382878-2847236798-4245784224-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee Pro 4.Manage] -- "C:\Program Files\ACD Systems\ACDSee Pro\4.0\ACDSeeQVPro4.exe" "%1" (ACD Systems International Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{022CBB38-CEF0-42BA-906A-A49BEFAE0BEE}" = RICOH R5U230 Media Driver ver.2.06.03.02
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX880_series" = Canon MX880 series MP Drivers
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks v.0.6.4
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20187EBD-71B1-4913-AEFF-6E2E2A444434}" = Giganews Accelerator
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java™ 6 Update 26
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{35AF2D74-7048-876E-1869-68B6D635F446}" = Chief Architect X2
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4647BF57-21C4-4BC8-BA1B-E57A30EE1D31}" = Sprint SmartView
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{6503D8CE-272E-492B-BA45-72044323341E}" = Xacti Simple Uploader
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{84598521-7A52-49F6-A91E-E73E6086AB4C}" = ZoneAlarm Firewall
"{88D4FE78-6EA6-4DFB-9FC2-8BC316F0C2FD}" = ACDSee Pro 4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9E384B32-59C8-46EF-BEA6-4DC8F27CDB8E}" = InstallVC90Support
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_946" = Adobe Acrobat 9.4.6 - CPSID_83708
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Franšais, Deutsch
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{BB49995D-1C6B-4138-A1C9-1E40E9FC69E7}" = ZoneAlarm Security
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C2}" = WinZip 15.5
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D5753D24-A0EC-4F0E-89A2-C4BD0258E5F2}" = ACDSee RAW Plug-In Update 4.2 for ACDSee Pro 4
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E42E07F5-5A90-4BA9-B55A-79FCF9EAF9B5}" = STK02N 2.3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Canon MX880 series User Registration" = Canon MX880 series User Registration
"Canon_IJ_Network_Scanner_Selector_EX" = Canon IJ Network Scanner Selector EX
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenuEX" = Canon Solution Menu EX
"DvrPlayer" = DvrPlayer (remove only)
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ESET Online Scanner" = ESET Online Scanner v3
"Forte Agent" = FortÚ Agent
"ImgBurn" = ImgBurn
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"KLiteCodecPack_is1" = K-Lite Codec Pack 7.7.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"MP Navigator EX 4.1" = Canon MP Navigator EX 4.1
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"PdaNet_is1" = PdaNet Desktop for iPhone 1.54
"QuickPar" = QuickPar 0.9
"Sandboxie" = Sandboxie 3.54 (32-bit)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.20
"Speed Dial Utility" = Canon Speed Dial Utility
"TrueCrypt" = TrueCrypt
"WinLiveSuite" = Windows Live Essentials
"Wootalyzer" = Wootalyzer!
"Xilisoft Video Converter Ultimate 6" = Xilisoft Video Converter Ultimate 6
"ZoneAlarm Pro" = ZoneAlarm Pro
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2572382878-2847236798-4245784224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/14/2011 11:49:55 PM | Computer Name = Unknown-PC | Source = WinMgmt | ID = 10
Description =

Error - 10/15/2011 9:17:10 AM | Computer Name = Unknown-PC | Source = WinMgmt | ID = 10
Description =

Error - 10/15/2011 11:08:26 AM | Computer Name = Unknown-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Chief Architect\Chief
Architect X2\Drivers\amd64\DPInst.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 10/15/2011 11:08:29 AM | Computer Name = Unknown-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Sprint\Sprint
SmartView\OemDriverManager64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 10/15/2011 11:09:32 AM | Computer Name = Unknown-PC | Source = Application Error | ID = 1000
Description = Faulting application name: rundll32.exe_aepdu.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bc637 Faulting module name: aeinv.dll, version: 6.1.7601.17514,
time stamp: 0x4ce7b70c Exception code: 0xc0000006 Fault offset: 0x0003c40f Faulting
process id: 0x7dc Faulting application start time: 0x01cc8b4c30e0b07a Faulting application
path: C:\Windows\system32\rundll32.exe Faulting module path: C:\Windows\system32\aeinv.dll
Report
Id: af65f811-f73f-11e0-aa4e-0026b61f2934

Error - 10/15/2011 11:09:32 AM | Computer Name = Unknown-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Program Files\Microsoft Office\Office14\1033\CLVWINTL.DLL
for one of the following reasons: there is a problem with the network connection,
the disk that the file is stored on, or the storage drivers installed on this computer;
or the disk is missing. Windows closed the program Windows host process (Rundll32)
because of this error. Program: Windows host process (Rundll32) File: C:\Program
Files\Microsoft Office\Office14\1033\CLVWINTL.DLL The error value is listed in the
Additional Data section. User Action 1. Open the file again. This situation might
be a temporary problem that corrects itself when the program runs again. 2. If the
file still cannot be accessed and - It is on the network, your network administrator
should verify that there is not a problem with the network and that the server
can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM,
verify that the disk is fully inserted into the computer. 3. Check and repair the
file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD,
and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4.
If the problem persists, restore the file from a backup copy. 5. Determine whether
other files on the same disk can be opened. If not, the disk might be damaged.
If it is a hard disk, contact your administrator or computer hardware vendor for
further
assistance. Additional Data Error value: C000009C Disk type: 3

Error - 10/16/2011 1:12:11 AM | Computer Name = Unknown-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Chief Architect\Chief
Architect X2\Drivers\amd64\DPInst.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 10/16/2011 1:12:19 AM | Computer Name = Unknown-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\Sprint\Sprint
SmartView\OemDriverManager64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 10/16/2011 1:13:52 AM | Computer Name = Unknown-PC | Source = Application Error | ID = 1000
Description = Faulting application name: rundll32.exe_aepdu.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bc637 Faulting module name: aeinv.dll, version: 6.1.7601.17514,
time stamp: 0x4ce7b70c Exception code: 0xc0000006 Fault offset: 0x0003c40f Faulting
process id: 0x8e8 Faulting application start time: 0x01cc8bc1f65fe1ce Faulting application
path: C:\Windows\system32\rundll32.exe Faulting module path: C:\Windows\system32\aeinv.dll
Report
Id: a2a08826-f7b5-11e0-aa4e-0026b61f2934

Error - 10/16/2011 1:13:52 AM | Computer Name = Unknown-PC | Source = Application Error | ID = 1005
Description = Windows cannot access the file C:\Program Files\Microsoft Office\Office14\1033\CLVWINTL.DLL
for one of the following reasons: there is a problem with the network connection,
the disk that the file is stored on, or the storage drivers installed on this computer;
or the disk is missing. Windows closed the program Windows host process (Rundll32)
because of this error. Program: Windows host process (Rundll32) File: C:\Program
Files\Microsoft Office\Office14\1033\CLVWINTL.DLL The error value is listed in the
Additional Data section. User Action 1. Open the file again. This situation might
be a temporary problem that corrects itself when the program runs again. 2. If the
file still cannot be accessed and - It is on the network, your network administrator
should verify that there is not a problem with the network and that the server
can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM,
verify that the disk is fully inserted into the computer. 3. Check and repair the
file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD,
and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4.
If the problem persists, restore the file from a backup copy. 5. Determine whether
other files on the same disk can be opened. If not, the disk might be damaged.
If it is a hard disk, contact your administrator or computer hardware vendor for
further
assistance. Additional Data Error value: C000009C Disk type: 3

[ System Events ]
Error - 10/16/2011 6:21:42 AM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 6:21:42 AM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 9:39:45 AM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 12:30:20 PM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 12:30:20 PM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 1:02:50 PM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 1:02:50 PM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/16/2011 1:19:18 PM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/17/2011 12:13:27 AM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.

Error - 10/17/2011 12:13:31 AM | Computer Name = Unknown-PC | Source = Service Control Manager | ID = 7024
Description = The HomeGroup Listener service terminated with service-specific error
%%-2147023143.


< End of report >

-------------------


Please let me know what you find and what else I should do. Thanks again for your time and help!

Tom

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 17 October 2011 - 02:01 AM

Hi, it looks like you also ran combofix: please post me the log at c:\combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 17 October 2011 - 05:21 PM

Elise,

I tried to run combofix and it went through a bunch of things, then got to where it stated it was scanning for infected files. Zone alarm kept asking for permission to allow it to run various tasks, the last one was "mbr.3xe is trying to load the driver mbr" I allowed it, then there was some hd activity, then no activity and the computer was basically frozen. I tried to close the window but nothing. I tried to shut down from the start menu, but it didnt do anything. I could move my mouse and windows around, but couldnt start any programs and had to do a hard reset. What can I do now?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 18 October 2011 - 02:42 AM

Can you please run Combofix from Safe Mode?

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 October 2011 - 08:28 AM

Elise,

Tried it in safe mode and same results. What next?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 18 October 2011 - 10:19 AM

Please press Windows key + R, type combofix /nombr and press enter. Let me know if it runs like that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 October 2011 - 06:42 PM

Elise - That worked. See log below:



ComboFix 11-10-18.04 - Unknown 10/18/2011 19:25:54.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2940.2118 [GMT -4:00]
Running from: c:\users\Unknown\Desktop\ComboFix.exe
Command switches used :: /nombr
FW: ZoneAlarm Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\icsxml
c:\windows\system32\icsxml\cmnicfg.xml
c:\windows\system32\icsxml\ipcfg.xml
c:\windows\system32\icsxml\osinfo.xml
c:\windows\system32\icsxml\potscfg.xml
c:\windows\system32\icsxml\pppcfg.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-15 02:24 . 2011-10-15 02:24 -------- d-----w- c:\program files\ESET
2011-10-14 22:57 . 2011-10-17 22:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-13 01:57 . 2011-09-01 02:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-13 01:53 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 01:53 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 01:53 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 01:53 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 01:53 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-11 12:38 . 2011-10-11 12:38 94896 ----a-w- c:\windows\system32\drivers\61436751.sys
2011-10-11 12:29 . 2011-10-11 12:30 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-10-11 12:29 . 2011-10-11 12:30 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-11 12:20 . 2011-05-12 18:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-10-11 05:25 . 2011-10-11 05:25 -------- d-----w- c:\program files\Sophos
2011-10-08 15:37 . 2011-10-08 15:37 -------- d-----w- c:\program files\Sierra Wireless
2011-10-08 15:37 . 2011-10-08 15:37 -------- d-----w- c:\program files\Sprint
2011-10-08 15:37 . 2011-10-08 15:37 -------- d-----w- c:\program files\Novatel Wireless
2011-10-08 15:37 . 2011-10-08 15:37 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2011-10-03 00:47 . 2011-10-03 00:47 -------- d-----w- C:\_OTL
2011-10-01 17:52 . 2011-08-29 08:00 74752 ----a-w- c:\windows\system32\ff_vfw.dll
2011-10-01 17:52 . 2011-07-16 14:17 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-10-01 17:52 . 2011-06-24 14:44 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-10-01 17:52 . 2011-06-24 14:28 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-10-01 17:52 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-10-01 17:26 . 2009-08-20 03:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-10-01 17:21 . 2010-09-22 22:47 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2011-10-01 13:21 . 2009-08-20 03:50 46928 ----a-w- c:\windows\system32\AdobePDF.dll
2011-09-26 15:01 . 2011-09-26 15:01 -------- d-----w- c:\program files\Apple Software Update
2011-09-26 12:12 . 2011-09-26 12:12 -------- d-----w- c:\program files\ACD Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-02 01:08 . 2011-05-22 05:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-18 15:19 . 2011-09-18 15:19 231248 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2011-08-31 21:00 . 2011-05-22 16:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-30 01:42 . 2011-05-22 06:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ZoneAlarm_Security_Suite\prxtbZone.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3ce45c4f-bfff-4988-9a3c-a75c1f491319}"= "c:\program files\ZoneAlarm_Security_Suite\prxtbZone.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{3ce45c4f-bfff-4988-9a3c-a75c1f491319}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-17 4615552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-21 476512]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-05-30 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-07-12 71824]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BestCrypt Auto Open.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BestCrypt Auto Open.lnk
backup=c:\windows\pss\BestCrypt Auto Open.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 22:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-09-07 19:53 40376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 01:59 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCWipeTM Startup]
2010-03-04 09:44 992568 ----a-w- c:\program files\Jetico\BestCrypt\BCWipeTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BestCrypt Volume Encryption]
2010-03-19 11:29 1467704 ----a-w- c:\program files\Jetico\BestCrypt\BC_VE\bcfmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2010-07-26 02:08 2569616 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenuEx]
2010-09-14 22:09 1213848 ----a-w- c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2010-09-09 18:38 452016 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RDVCHG]
2010-12-15 18:54 316736 ----a-w- c:\program files\Sprint\Sprint SmartView\RDVCHG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2010-12-15 18:54 75072 ----a-w- c:\program files\Sprint\Sprint SmartView\SprintSV.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R2 KMService;KMService;c:\windows\system32\srvany.exe [2003-04-18 8192]
R3 38394501;38394501; [x]
R3 BCBUST;BCBUST;c:\users\Unknown\AppData\Local\Temp\~BCTraveller.TMP\drivers\Drivers2000\BCBUST.sys [x]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [2009-07-14 265088]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [2009-07-13 11904]
R3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [2010-12-15 124224]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\CAE.tmp [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-06-05 1343400]
R4 bcveServ;bcveServ;c:\program files\Jetico\BestCrypt\BC_VE\bcveserv.exe [2009-03-24 66288]
R4 BCWipeSvc;BCWipe service;c:\program files\Jetico\BestCrypt\BCWipeSvc.exe [2009-12-25 95544]
R4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-05-30 493184]
R4 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2010-01-11 82944]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-06-30 697328]
S0 bcfnt;bcfnt; [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 30272]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 13120]
S1 BC_3DES;BC_3DES; [x]
S1 BC_BF128;BC_BF128; [x]
S1 BC_BF448;BC_BF448; [x]
S1 BC_BFish;BC_BFish; [x]
S1 BC_CAST;BC_CAST; [x]
S1 BC_DES;BC_DES; [x]
S1 BC_Gost;BC_Gost; [x]
S1 BC_IDEA;BC_IDEA; [x]
S1 BC_RC6;BC_RC6; [x]
S1 BC_RIJN;BC_RIJN; [x]
S1 BC_SERP;BC_SERP; [x]
S1 BC_TFISH;BC_TFISH; [x]
S1 bcbus;BestCrypt bus driver;c:\windows\system32\DRIVERS\bcbus.sys [2010-01-14 49984]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-05-12 18816]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-05-30 27016]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-28 49152]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-04 38400]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 mhk;mhk; [x]
S3 moh;moh; [x]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-10-02 862208]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Unknown\AppData\Roaming\Mozilla\Firefox\Profiles\smrj9qjf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3015261&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-18 19:35:17
ComboFix-quarantined-files.txt 2011-10-18 23:35
.
Pre-Run: 68,145,152 bytes free
Post-Run: 21,753,856 bytes free
.
- - End Of File - - F7E859FC479CD3CE7F0AD70CCC38B343

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 19 October 2011 - 05:35 AM

How are things running at this point? Any problem left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 NJPRO

NJPRO
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 19 October 2011 - 07:18 AM

The laptop runs ok, but I do get long pauses every now and then. Just doesnt seem right. What do you think is causing certain programs to freeze? Seems like anything to do with MBR. What can I do for that? Thanks again for taking the time to help!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:03 PM

Posted 19 October 2011 - 07:40 AM

Did you do a disk check at any point? If not, do it as follows.
Click Start > Programs > Accessories, right click on Command prompt and select Run as Administrator.

Type chkdsk /r and press enter. If asked to schedule the disk check for next reboot, confirm (Y).
Restart your computer and let the disk check run unhindered.
When done, let me know if you notice any change.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users