Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Rootkit.MBR.Sst.a (v)" VIPRE cannot clean


  • This topic is locked This topic is locked
43 replies to this topic

#1 carseats

carseats

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 20 October 2011 - 11:24 AM

Hello,

I am new to this forum and I see that you have helped with similar problems as I have, so I hope you can help me too.

My VIPRE software recently detected a Rootkit on my computer (Rootkit.MBR.Sst.a) that cannot be cleaned or quarantined.

I am not really noticing any problems with the computer other than it may be a little slower than normal and getting a lot of SPAM emails.

I had a trojan virus on this computer several weeks ago that VIPRE support helped me remove using MalwareBytes' and maybe this was something that was not removed from then? Not sure.

I'm hoping you can help get rid of this.

As per your Preparation Guide I have run the Defogger program.

I have tried to run the DDS program a few different times and the program starts running fine and the "######" start apprearing, but after about 3-4 minutes it seems to stall and freezes. If I leave it the screen goes black and then I have to manually shut the computer off by holding down the ON button (Toshiba Satellite) until the computer shuts off. So, I am unable to save a DDS.txt or attach.txt log files.

I was able to run the GMER program and the Ark.txt file is attached.

Thank you in advance for any help you can give me.

Jim

Attached Files

  • Attached File  ark.txt   5.52KB   6 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 20 October 2011 - 04:16 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#3 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 20 October 2011 - 05:18 PM

Here is the contents of the OTL.txt file:

OTL logfile created on: 10/20/2011 5:32:46 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Seats4cars .com\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 72.09% Memory free
2.56 Gb Paging File | 2.18 Gb Available in Paging File | 85.18% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 5.11 Gb Free Space | 9.14% Space Free | Partition Type: NTFS
Drive X: | 928.30 Gb Total Space | 864.78 Gb Free Space | 93.16% Space Free | Partition Type: NTFS

Computer Name: TOUAREG | User Name: Seats4cars .com | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/20 17:27:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Seats4cars .com\Desktop\OTL.scr
PRC - [2011/10/20 17:08:51 | 000,059,964 | ---- | M] (Macrovision Europe Ltd.) -- C:\Documents and Settings\Seats4cars .com\Local Settings\Temp\Adobelm_Cleanup.0001
PRC - [2011/09/06 12:42:34 | 001,357,136 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
PRC - [2011/09/06 12:29:56 | 002,804,280 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
PRC - [2011/09/06 12:29:38 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/22 08:13:46 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/06/22 06:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2010/05/03 14:31:35 | 000,040,960 | ---- | M] (Easy Systems Japan Ltd.) -- C:\WINDOWS\system32\ezSP_Px.exe
PRC - [2008/04/23 02:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/16 23:12:59 | 000,075,376 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
PRC - [2005/01/19 11:39:16 | 000,217,088 | ---- | M] (Labtec Inc.) -- C:\Program Files\Logitech\Video\LogiTray.exe
PRC - [2005/01/19 11:21:48 | 000,192,512 | ---- | M] (Labtec Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe
PRC - [2005/01/19 11:05:48 | 000,221,184 | ---- | M] (Labtec Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
PRC - [2004/05/27 14:49:44 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2004/05/13 13:46:02 | 000,053,248 | ---- | M] () -- c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
PRC - [2003/11/20 01:15:38 | 000,278,528 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2003/11/20 01:13:54 | 000,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2003/10/15 20:03:38 | 000,073,728 | ---- | M] (TOSHIBA Corp.) -- C:\WINDOWS\system32\TFNF5.exe
PRC - [2003/09/04 02:00:18 | 000,028,672 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2003/08/18 13:51:02 | 000,102,400 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
PRC - [2003/05/23 17:38:26 | 000,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe
PRC - [2003/04/16 00:01:28 | 000,258,048 | ---- | M] (TOSHIBA Corp.) -- C:\WINDOWS\system32\00THotkey.exe
PRC - [2003/03/14 15:38:12 | 000,155,648 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe
PRC - [2003/01/21 22:00:06 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TouchED\TouchED.exe
PRC - [2003/01/02 20:16:00 | 000,172,032 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\ltmoh.exe
PRC - [2002/09/20 20:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/20 17:09:00 | 000,697,884 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~df394b.tmp
MOD - [2011/10/20 17:08:51 | 000,697,884 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~df394b.tmp
MOD - [2011/10/20 17:08:51 | 000,573,952 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~de7b92.tmp
MOD - [2011/10/12 21:21:22 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/12 21:21:05 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/12 21:20:09 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/10/11 14:50:10 | 000,193,904 | ---- | M] () -- C:\Program Files\Sunbelt Software\VIPRE\Definitions\libMachoUniv.dll
MOD - [2011/10/11 14:50:08 | 000,210,288 | ---- | M] () -- C:\Program Files\Sunbelt Software\VIPRE\Definitions\libBase64.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/01/19 11:20:14 | 000,308,560 | ---- | M] () -- C:\Program Files\Sunbelt Software\VIPRE\vipre.dll
MOD - [2008/07/05 10:32:44 | 000,094,720 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2005/12/22 17:28:40 | 000,160,768 | ---- | M] () -- C:\Program Files\Sunbelt Software\VIPRE\unrar.dll
MOD - [2005/10/07 16:05:32 | 000,125,440 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2004/05/13 13:46:02 | 000,053,248 | ---- | M] () -- c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
MOD - [2002/07/04 13:38:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ArcSoft\Software Suite\PhotoImpression\Share\PIHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/09/06 12:29:56 | 002,804,280 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2011/09/06 12:29:38 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/22 06:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/18 16:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/04/13 20:11:55 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2004/05/27 14:49:44 | 001,433,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2004/05/13 13:46:02 | 000,053,248 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2003/10/13 17:24:14 | 000,061,440 | ---- | M] (Adobe Sytems) [On_Demand | Stopped] -- C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe -- (AdobeVersionCue)
SRV - [2003/09/04 02:00:18 | 000,028,672 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2003/05/23 17:38:26 | 000,106,496 | ---- | M] (Matsubleepa Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2002/09/20 20:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/29 17:36:34 | 000,101,720 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/08/29 17:36:34 | 000,074,456 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2011/08/29 17:36:34 | 000,021,592 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2011/04/05 17:35:20 | 000,212,568 | ---- | M] (Sunbelt Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (SbTis)
DRV - [2010/06/16 17:01:30 | 000,059,464 | ---- | M] (Ross-Tech LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RT-USB.SYS -- (RT-USB)
DRV - [2006/08/13 15:08:44 | 000,471,520 | ---- | M] (Tamosoft, Ltd.) [CommView] Atheros Wireless Network Adapter Service [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2005/12/08 09:11:42 | 000,913,408 | ---- | M] (Labtec Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) Labtec WebCam(PID_08A0)
DRV - [2005/12/08 09:10:54 | 000,007,104 | ---- | M] (Labtec Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/12/08 09:10:38 | 000,022,016 | ---- | M] (Labtec Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2005/09/05 13:29:28 | 000,057,372 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2005/09/05 13:29:27 | 000,024,177 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2005/06/24 21:36:16 | 000,039,036 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2005/06/11 16:21:01 | 000,008,864 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CDAC15BA.SYS -- (CdaC15BA)
DRV - [2005/05/26 14:01:36 | 000,038,144 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2005/05/26 14:01:18 | 000,021,344 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2005/02/18 02:24:44 | 000,196,657 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0070Vid.sys -- (V0070VID)
DRV - [2004/06/06 10:34:31 | 000,011,861 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) WPA Security Protocol (IEEE 802.1x)
DRV - [2004/05/27 14:48:56 | 000,268,872 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2004/05/18 04:10:00 | 000,070,656 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\WibuKey.sys -- (WIBUKEY)
DRV - [2003/11/07 20:43:12 | 000,100,109 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/11/06 09:39:32 | 000,049,792 | ---- | M] (OEM) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\oxser.sys -- (oxser)
DRV - [2003/11/06 09:39:18 | 000,004,992 | ---- | M] (OEM) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\oxmfuf.sys -- (Oxmfuf)
DRV - [2003/11/06 09:39:16 | 000,015,872 | ---- | M] (OEM) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\oxmf.sys -- (oxmf)
DRV - [2003/10/24 17:53:14 | 000,090,416 | ---- | M] (Matsubleepa Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)
DRV - [2003/09/30 04:00:00 | 000,017,408 | ---- | M] (WIBU-SYSTEMS AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Wibukey2.sys -- (Wibukey2)
DRV - [2003/08/28 22:40:26 | 000,189,792 | ---- | M] (Zone Labs Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2003/08/07 19:52:00 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\TVALZ.SYS -- (TVALZ)
DRV - [2003/07/24 19:55:50 | 000,139,604 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/06/11 12:53:22 | 000,006,867 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (TBiosDrv)
DRV - [2003/05/14 21:38:32 | 000,025,888 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tsdhd.sys -- (tsdhd)
DRV - [2003/05/01 14:26:34 | 000,005,220 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2003/04/23 14:10:12 | 000,033,335 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wa301a.sys -- ({E2B953A6-195A-44F9-9BA3-3D5F4E32BB55})
DRV - [2003/02/12 13:03:54 | 000,015,143 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tossdpci.sys -- (pciSd)
DRV - [2003/01/29 18:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2002/12/20 17:07:00 | 001,164,576 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/10/07 14:56:09 | 000,038,176 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2002/10/01 13:22:32 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2002/09/26 05:41:00 | 000,076,288 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2002/09/26 05:41:00 | 000,026,120 | ---- | M] (Rainbow Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (SNTNLUSB)
DRV - [2002/04/06 23:50:56 | 000,019,607 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys -- (tossmbnt)
DRV - [1998/02/21 14:48:04 | 000,005,248 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\Vichw11.sys -- (VICHW11)
DRV - [1996/09/27 08:10:48 | 000,003,584 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DLPORTIO.sys -- (DLPortIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2027: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2088: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1040: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()


[2009/03/28 16:20:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Seats4cars .com\Application Data\Mozilla\Extensions
[2009/03/28 16:20:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Seats4cars .com\Application Data\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2011/08/23 12:47:20 | 000,437,286 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 15050 more lines...
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (MSN Search Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (MSN Search Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (MSN Search Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (MSN Search Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [000StTHK] C:\WINDOWS\System32\000StTHK.exe ()
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Labtec Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Labtec Inc.)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Labtec Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O4 - HKLM..\Run: [TFncKy] TFncKy.exe File not found
O4 - HKLM..\Run: [TFNF5] C:\WINDOWS\System32\TFNF5.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [TouchED] C:\Program Files\Toshiba\TouchED\TouchED.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [VF0070 STISvc] C:\WINDOWS\System32\V0070Pin.dll (Creative Technology Ltd.)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CardMinder Viewer.lnk = C:\Program Files\PFU\PFU\ScanSnap\CardMinder\CardLauncher.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk = C:\Program Files\PFU\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsubleepa Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ScanSnap Manager.lnk = C:\Program Files\PFU\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Seats4cars .com\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &MSN Search - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Open in new background tab - C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll (Microsoft Corporation)
O8 - Extra context menu item: Open in new foreground tab - C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll (Microsoft Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/6/7/5/675d28f5-2a8e-4bac-bd9b-ee147f352714/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab (VerifyGMN Class)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control)
O16 - DPF: {3F4AC0C9-3A7D-4115-99B4-2693DE0014AF} http://optimum.net/downloads/TNetworkScannerXControl.ocx (TNetworkScanner Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab (ZoneIntro Class)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} http://192.168.1.118/CSViewer.cab (CSViewer Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.245.130 167.206.245.129 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F9B3ED4A-D5E7-441C-A4CD-24EC56BD32D6}: DhcpNameServer = 167.206.245.130 167.206.245.129 192.168.1.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Seats4cars .com\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Seats4cars .com\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = comfile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/10/20 17:27:33 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Seats4cars .com\Desktop\OTL.scr
[2011/10/19 15:09:56 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/10/19 15:09:55 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/10/19 15:09:55 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/10/19 15:09:54 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/10/19 10:51:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Seats4cars .com\Desktop\gmer
[2011/10/19 09:57:05 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Seats4cars .com\Desktop\dds.scr
[2011/10/19 00:10:35 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/10/18 23:57:43 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/18 23:56:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/10/12 17:23:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/10/12 17:21:59 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/10/12 17:17:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/10/12 17:07:50 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/09/29 00:26:42 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Seats4cars .com\Recent
[2011/09/27 17:14:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sunbelt Software
[2011/09/26 21:08:11 | 000,123,904 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hpf3l70w.dll
[2011/09/26 21:07:25 | 000,966,656 | R--- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\hpwtiop5.dll
[2011/09/26 21:07:25 | 000,749,568 | R--- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpwwiax6.dll
[2011/09/26 21:07:25 | 000,315,392 | R--- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\hpwvst01.dll
[2011/09/26 21:05:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP
[2011/09/26 21:04:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\hpoj4500g510g-m
[2011/09/26 21:01:57 | 000,000,000 | -H-D | C] -- C:\Config.Msi
[2011/09/26 11:41:20 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/20 17:27:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Seats4cars .com\Desktop\OTL.scr
[2011/10/20 15:44:00 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily.job
[2011/10/20 13:01:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/20 10:54:03 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2011/10/20 10:52:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/20 10:52:18 | 2129,514,496 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/19 17:02:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/19 10:01:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\defogger_reenable
[2011/10/19 09:59:08 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Desktop\gmer.zip
[2011/10/19 09:57:06 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Seats4cars .com\Desktop\dds.scr
[2011/10/19 09:55:19 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Desktop\Defogger.exe
[2011/10/19 00:10:53 | 000,000,342 | RHS- | M] () -- C:\boot.ini
[2011/10/18 22:58:55 | 000,000,117 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Application Data\netstat.bat
[2011/10/12 21:40:07 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/10/12 21:32:05 | 000,458,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/12 21:19:20 | 000,493,256 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/12 21:19:20 | 000,094,054 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/12 21:10:58 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/10/12 17:26:56 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2011/10/12 17:23:07 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/10/10 11:46:04 | 000,049,152 | ---- | M] () -- C:\WINDOWS\DBNAMES.CFG
[2011/10/10 11:46:04 | 000,000,809 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/10/09 13:50:17 | 000,001,556 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Elab.lnk
[2011/10/03 11:31:50 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\Desktop\VCDS Release 10.6.lnk
[2011/10/03 05:06:16 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/10/03 05:06:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/10/03 05:06:14 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/10/03 05:06:03 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/10/03 04:35:11 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/10/03 02:37:52 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/30 11:25:50 | 000,000,059 | ---- | M] () -- C:\WINDOWS\sview.ini
[2011/09/27 17:24:00 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/27 17:14:03 | 000,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2011/09/26 21:33:48 | 000,036,046 | ---- | M] () -- C:\Documents and Settings\Seats4cars .com\My Documents\Plantation-FL_GMAC Affidavit.pdf
[2011/09/26 21:30:11 | 000,143,022 | ---- | M] () -- C:\WINDOWS\hpwins28.dat
[2011/09/26 21:09:45 | 000,205,268 | ---- | M] () -- C:\WINDOWS\hpwins26.dat
[2011/09/26 11:41:20 | 000,611,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\uiautomationcore.dll
[2011/09/26 11:41:20 | 000,220,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleacc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\oleaccrc.dll
[2011/09/26 11:41:14 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaccrc.dll
[2011/09/23 16:02:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/19 10:01:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\defogger_reenable
[2011/10/19 09:59:05 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Desktop\gmer.zip
[2011/10/19 09:55:19 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Desktop\Defogger.exe
[2011/10/19 00:10:51 | 000,000,226 | ---- | C] () -- C:\Boot.bak
[2011/10/19 00:10:38 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/10/12 17:23:07 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/09/27 17:14:03 | 000,001,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VIPRE.lnk
[2011/09/26 21:33:48 | 000,036,046 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\My Documents\Plantation-FL_GMAC Affidavit.pdf
[2011/09/26 20:54:21 | 000,205,268 | ---- | C] () -- C:\WINDOWS\hpwins26.dat
[2011/09/26 20:54:21 | 000,000,370 | ---- | C] () -- C:\WINDOWS\hpwmdl26.dat
[2011/09/26 11:10:04 | 2129,514,496 | -HS- | C] () -- C:\hiberfil.sys
[2011/09/22 11:32:54 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat.temp
[2011/09/08 16:06:07 | 000,143,022 | ---- | C] () -- C:\WINDOWS\hpwins28.dat
[2011/09/08 16:06:07 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat
[2011/08/03 23:54:28 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Application Data\FixVTS.ini
[2011/03/17 12:07:44 | 000,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2011/01/05 15:57:00 | 000,093,421 | ---- | C] () -- C:\WINDOWS\HPHins03.dat
[2011/01/05 15:57:00 | 000,002,655 | ---- | C] () -- C:\WINDOWS\hphmdl03.dat
[2010/08/22 21:45:37 | 000,000,055 | ---- | C] () -- C:\WINDOWS\LiveUpdate.INI
[2010/08/06 22:39:06 | 000,083,048 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/12 13:11:26 | 000,000,161 | ---- | C] () -- C:\WINDOWS\DISPARAM.INI
[2010/04/10 19:46:18 | 000,000,117 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Application Data\netstat.bat
[2010/03/23 18:06:21 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/12/08 23:50:13 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2008/09/27 14:49:22 | 000,000,799 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/12/10 19:47:28 | 000,101,376 | ---- | C] () -- C:\WINDOWS\System32\hpgt34.dll
[2007/11/29 18:30:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/11/28 17:52:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/11/28 15:28:13 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\VPN.dll
[2007/05/29 20:48:45 | 000,000,059 | ---- | C] () -- C:\WINDOWS\sview.ini
[2007/05/21 00:39:29 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/18 21:49:00 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\Unwise32.exe
[2007/01/18 17:36:49 | 000,028,768 | ---- | C] () -- C:\WINDOWS\javaw.exe
[2006/10/13 12:30:10 | 000,668,976 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/10/09 22:00:04 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2006/10/09 21:59:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2006/10/09 21:59:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
[2006/10/09 21:57:20 | 000,000,102 | ---- | C] () -- C:\WINDOWS\QBWCD.INI
[2006/10/09 21:57:19 | 000,006,472 | ---- | C] () -- C:\WINDOWS\Icoadb32.dat
[2006/05/15 11:45:30 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5y.DLL
[2006/04/30 17:55:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Application Data\dm.ini
[2006/04/23 20:49:01 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\InstMed.exe
[2006/04/23 20:48:49 | 000,009,255 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/02/15 17:31:11 | 000,139,280 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2005/11/24 13:01:08 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2005/11/10 11:36:09 | 000,000,552 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2005/10/09 21:46:20 | 000,000,570 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/09/13 11:43:18 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\wibuKJni.dll
[2005/09/13 11:43:17 | 000,057,552 | ---- | C] () -- C:\WINDOWS\System32\WkDos.exe
[2005/09/13 11:40:17 | 000,000,092 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2005/09/01 19:04:25 | 000,000,225 | ---- | C] () -- C:\WINDOWS\DAZZLE.INI
[2005/08/09 23:23:21 | 000,000,078 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2005/06/28 23:32:22 | 000,010,767 | ---- | C] () -- C:\WINDOWS\RS_SQLIF.INI
[2005/06/28 23:32:22 | 000,000,500 | ---- | C] () -- C:\WINDOWS\RPTSMITH.INI
[2005/06/28 23:32:22 | 000,000,390 | ---- | C] () -- C:\WINDOWS\RS_RUN.INI
[2005/06/28 23:32:02 | 000,179,200 | ---- | C] () -- C:\WINDOWS\System32\RSUNINST.DLL
[2005/06/28 23:31:42 | 000,365,568 | ---- | C] () -- C:\WINDOWS\System32\WINCTL32.DLL
[2005/06/28 23:31:40 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2005/06/28 23:31:39 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\OE60as.dll
[2005/06/28 23:31:39 | 000,043,760 | ---- | C] () -- C:\WINDOWS\System32\NWLOCALE.DLL
[2005/06/28 23:31:39 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2005/06/28 20:15:46 | 000,000,020 | ---- | C] () -- C:\WINDOWS\RaxETPg.dat
[2005/06/28 20:13:41 | 000,000,127 | ---- | C] () -- C:\WINDOWS\Bclwdde.ini
[2005/06/22 20:27:27 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/06/22 20:23:58 | 000,071,168 | ---- | C] () -- C:\WINDOWS\System32\PAspi32p2.dll
[2005/06/22 20:23:58 | 000,062,976 | ---- | C] () -- C:\WINDOWS\System32\Muscrl32.dll
[2005/06/22 20:23:58 | 000,058,880 | ---- | C] () -- C:\WINDOWS\System32\Commstr.dll
[2005/06/22 20:23:58 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\PAspi32p.dll
[2005/06/22 20:23:58 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\SCMD32p.dll
[2005/06/22 20:23:58 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\Vichw11.sys
[2005/06/22 20:23:58 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Scanner.ini
[2005/06/22 20:22:24 | 000,001,452 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[2005/06/22 20:22:24 | 000,000,211 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[2005/06/11 16:21:03 | 000,008,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\CDAC15BA.SYS
[2005/06/07 23:47:09 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Local Settings\Application Data\fusioncache.dat
[2005/03/18 11:24:28 | 000,089,088 | ---- | C] () -- C:\WINDOWS\System32\hpgt33.dll
[2004/12/20 13:46:17 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2004/09/13 15:42:35 | 000,009,934 | ---- | C] () -- C:\WINDOWS\ELAB.INI
[2004/08/21 11:08:53 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/16 18:30:03 | 000,000,095 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2004/08/16 18:30:03 | 000,000,020 | ---- | C] () -- C:\WINDOWS\akebook.ini
[2004/08/16 18:30:03 | 000,000,004 | ---- | C] () -- C:\WINDOWS\a3kebook.ini
[2004/07/09 05:33:05 | 000,000,231 | ---- | C] () -- C:\WINDOWS\Contorno.INI
[2004/06/25 20:51:50 | 000,081,408 | ---- | C] () -- C:\Documents and Settings\Seats4cars .com\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/06/10 19:12:24 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/06/07 04:54:58 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2004/06/06 10:34:31 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\AegisI5.exe
[2003/11/21 17:49:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/11/20 21:40:32 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_SETUP.ini
[2003/11/20 21:34:03 | 000,003,327 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/11/20 21:32:41 | 000,019,607 | ---- | C] () -- C:\WINDOWS\System32\drivers\TOSSMBNT.sys
[2003/11/20 21:23:25 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2003/11/20 21:13:40 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\tcleanup.exe
[2003/11/20 21:12:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2003/11/20 21:06:36 | 000,000,034 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2003/11/20 20:54:31 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2003/11/20 20:54:31 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2003/11/20 20:54:31 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2003/11/20 20:54:31 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2003/11/20 20:53:21 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003/11/20 20:44:16 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/11/20 20:39:27 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\000StTHK.exe
[2003/11/20 20:28:40 | 000,090,112 | ---- | C] () -- C:\WINDOWS\InstDrvr.exe
[2003/11/20 20:28:40 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2003/11/20 19:53:50 | 000,000,809 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/11/20 19:50:00 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/11/20 19:49:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/11/20 19:43:57 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/11/20 19:42:22 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/11/20 18:12:52 | 000,000,382 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/20 18:12:02 | 000,493,256 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/11/20 18:12:02 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003/11/20 18:12:02 | 000,094,054 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/11/20 18:12:02 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003/11/20 18:12:00 | 000,004,598 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003/11/20 18:11:59 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003/11/20 18:11:55 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/11/20 18:11:47 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003/11/20 18:11:47 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003/11/20 18:11:31 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003/11/20 18:11:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/11/20 11:38:18 | 000,004,667 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/11/20 11:37:19 | 000,458,008 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/11/20 06:32:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/07 14:56:09 | 000,038,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1998/12/01 10:30:50 | 000,000,481 | ---- | C] () -- C:\WINDOWS\RICTOOLS.INI
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1996/09/27 08:10:48 | 000,003,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\DLPORTIO.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\ezSP_Px.exe:SummaryInformation
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

#4 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 20 October 2011 - 05:22 PM

Here is the contents of the Extras.txt file:

OTL Extras logfile created on: 10/20/2011 5:32:46 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Seats4cars .com\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 72.09% Memory free
2.56 Gb Paging File | 2.18 Gb Available in Paging File | 85.18% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 5.11 Gb Free Space | 9.14% Space Free | Partition Type: NTFS
Drive X: | 928.30 Gb Total Space | 864.78 Gb Free Space | 93.16% Space Free | Partition Type: NTFS

Computer Name: TOUAREG | User Name: Seats4cars .com | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = comfile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.hta [@ = htafile] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- Reg Error: Key error. File not found
.vbs [@ = VBSFile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1700:TCP" = 1700:TCP:*:Enabled:MioNet Remote Drive Access
"1641:TCP" = 1641:TCP:*:Enabled:MioNet Remote Drive Verification
"1647:TCP" = 1647:TCP:*:Enabled:MioNet Storage Device Configuration
"5432:UDP" = 5432:UDP:*:Enabled:MioNet Storage Device Discovery
"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP
"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\digital imaging\{F27CFD16-939A-4232-98CD-180898D14713}\setup\hpznui01.exe" = C:\Program Files\HP\digital imaging\{F27CFD16-939A-4232-98CD-180898D14713}\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- (Hewlett-Packard)
"C:\Program Files\HP\digital imaging\bin\hposid01.exe" = C:\Program Files\HP\digital imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\digital imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\digital imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\digital imaging\bin\hpoews01.exe" = C:\Program Files\HP\digital imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\digital imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\digital imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard Company)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Toshiba\ConfigFree\CFSServW.exe" = C:\Program Files\Toshiba\ConfigFree\CFSServW.exe:*:Enabled:ConfigFree™ Search for Wireless Devices Version 4.00 -- (TOSHIBA)
"C:\TOSHIBA\Ivp\NetInt\netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Pvsw\Bin\W3dbsmgr.exe" = C:\Pvsw\Bin\W3dbsmgr.exe:*:Enabled:Database Service Manager -- ()
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Program Files\TightVNC\vncviewer.exe" = C:\Program Files\TightVNC\vncviewer.exe:*:Enabled:vncviewer
"C:\Program Files\TightVNC\WinVNC.exe" = C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:TightVNC Win32 Server
"C:\Program Files\GCall\GCall.exe" = C:\Program Files\GCall\GCall.exe:*:Enabled:GMI GCall -- (GMI s.r.l.)
"C:\Program Files\BitPim\bitpim.exe" = C:\Program Files\BitPim\bitpim.exe:*:Enabled:View and manipulate data on many CDMA phones from LG, Samsung, Sanyo and other manufacturers. This includes the PhoneBook, Calendar, WallPapers, RingTones (functionality varies by phone) and the Filesystem for most Qualcomm CDMA chipset based phones. -- (http://www.bitpim.org)
"C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\scan32.exe" = C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\scan32.exe:*:Enabled:VirusScan
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"D:\WD Discovery Software\WD Discovery.exe" = D:\WD Discovery Software\WD Discovery.exe:*:Enabled:WD Discovery Application
"C:\Program Files\Western Digital\WD Discovery Software\WD Discovery.exe" = C:\Program Files\Western Digital\WD Discovery Software\WD Discovery.exe:*:Enabled:WD Discovery Application -- ()
"C:\Program Files\HP\digital imaging\{F27CFD16-939A-4232-98CD-180898D14713}\setup\hpznui01.exe" = C:\Program Files\HP\digital imaging\{F27CFD16-939A-4232-98CD-180898D14713}\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- (Hewlett-Packard)
"C:\Program Files\HP\digital imaging\bin\hposid01.exe" = C:\Program Files\HP\digital imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\digital imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\digital imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- ()
"C:\Program Files\HP\digital imaging\bin\hpoews01.exe" = C:\Program Files\HP\digital imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\digital imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\digital imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard Company)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00060000-0000-1004-8002-0000C06B5161}" = WIBU-KEY Setup (WIBU-KEY Remove)
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{0CC48DEB-10E2-4FF8-8A99-26FBFAED86E0}" = GoldMine 6.7
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series" = Canon iP1800 series
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160" = Canon MP160
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 29
"{28379381-B56A-43e1-B505-3098D82B1C30}" = 4500G510gm_Software_Min
"{29ED20C9-5E15-4969-9279-25BF3727A3DA}" = iTunes
"{2A8F9255-F4AB-4a37-8F39-7C6E15B5158B}" = 4500G510nz_web
"{2CC5FCAE-51BA-4926-8C2B-4F07E54F6EA3}" = ScanSnap
"{2E25B61B-26C0-4A87-86A7-CC93AA53AD41}" = Stilista 2000
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3470FBE6-B743-420F-B5CE-0D27FA749C16}" = Touch and Launch
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A4D5E2D-988D-4ee9-8E7F-3AC200A2B8F5}" = 4500G510nz_Software_Min
"{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}" = TOSHIBA Console
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{55E63724-2BFE-49BC-B03E-9BE0F62E18C2}" = ScanSnap Organizer
"{5624C000-B109-11D4-9DB4-00E0290FCAC5}" = VPN Client
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}" = HP Unload DLL Patch
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5C8AE145-C9F7-4883-9750-7ECD2B41CCCA}" = Linksys VPN Client
"{5E453519-60F6-4A4D-A0BF-16663F9B3536}" = Safari
"{619B8475-0F48-41B7-A370-5147F7092989}" = Virtual Earth 3D (Beta)
"{6904DB70-1DC1-4435-9E42-F5E512892E2D}" = eFax Messenger Plus 3.2
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{73006B34-9743-4A39-AC37-38EDFCEB6DCE}" = Adobe Product/Adobe Studio Update 10/2001
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{76E46F23-8DFB-4993-895E-80D95FEE6E86}" = Atheros Client Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}" = Sentinel System Driver 5.41.0 (32-bit)
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7D1DCBBA-F6F5-42B4-B90B-F04ACE4DFD6C}" = MSN Search Toolbar
"{8013D985-A73A-4199-A898-6D567ACC10CC}" = ImageMerger
"{843BD817-4551-451C-AB7A-EF113BF9C036}" = 4500_G510nz_Help_Web
"{85F2A164-13FE-11D6-9E4A-0050FC010BF8}" = Embroidery Lab
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{8DCD0779-8811-4060-9227-871E2FD48E45}" = CardMinder V4.1
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{9AC200C3-A4C8-401C-A5A8-202BE888B165}" = TOSHIBA Fax Extension
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A962C8E1-4F0B-4BA9-806E-B8D9A3B31F82}" = SurfHere by Toshiba
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BE0D4271-69C9-4f28-AD9B-BB33D126A30E}" = 4500G510gm
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{BF45F502-D3F2-4E7C-91D8-9AA5A8141D08}" = Labtec WebCam Software
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" = VIPRE Antivirus
"{C5CE907D-ECA6-43AF-95CC-CBC951F04D67}" = AddressGrabber Business
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}" = CardMinder
"{D52ECEBC-9B20-41A5-81C4-A62DE2367419}" = Adobe Creative Suite
"{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}" = ScanSnap Manager
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{E4EE897E-B059-4084-B76D-37895B0F79F3}" = VIPRE Antivirus
"{E5083D57-D93F-404C-A91F-1C50D67C2BEB}" = HP Officejet 4500 G510g-m
"{E58F3B88-3B3E-4F85-9323-04789D979C15}" = ScanSnap Organizer
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{EDF1085A-73FF-4B3B-8726-2A403D400E48}" = DesignPro 5.0 Media Edition
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F096F251-B053-4F6C-A531-41764A252009}" = GoldMine PLUS for Microsoft® Office®
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F27CFD16-939A-4232-98CD-180898D14713}" = HP Officejet 4500 G510n-z
"{F2D2B58B-B2FD-46D1-8319-DCE564079934}" = Microsoft .NET Framework 1.1 Italian Language Pack
"{F69B66A8-61C9-424C-AFA1-7EC6093AC5AD}" = TOSHIBA Software Upgrades
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.1
"{FB400000-0002-0000-0000-074957833700}" = ABBYY FineReader for ScanSnap ™ 4.1
"6D07236E1D2F8479C88537ED0B7EB5D15ABBF7D5" = Windows Driver Package - Ross-Tech USB Driver Package (11/16/2007 6.0.2.0)
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"B406677FA530D213D0B10B080DCD1080AE866D39" = Windows Driver Package - Ross-Tech USB Driver Package (05/21/2009 2.04.18)
"B4DFFB06B716298277125094C48185BFE8B5A7E1" = Windows Driver Package - Ross-Tech USB Driver Package (06/16/2010 2.06.02)
"CANONBJ_Deinstall_CNMCP5y.DLL" = Canon PIXMA iP1500
"Creative VF0070" = Creative WebCam Notebook Ultra Driver (1.00.05.0127)
"Creative WebCam Center" = Creative WebCam Center
"Creative WebCam Notebook Ultra User's Guide English" = Creative WebCam Notebook Ultra User's Guide (English)
"CyberView 16-32 P Multi-Language Edition" = CyberView 16-32 P Multi-Language Edition
"DAZzle" = DAZzle
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab Decrypter_is1" = DVDFab Decrypter 3.0.5.0
"FrostWire" = FrostWire 4.21.3
"FTDICOMM" = FTDI USB Serial Converter Drivers
"HP Photo & Imaging" = HP Image Zone 4.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"if40leUninstall" = Presto! ImageFolio LE
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{C5CE907D-ECA6-43AF-95CC-CBC951F04D67}" = AddressGrabber Business
"InstallShield_{EDF1085A-73FF-4B3B-8726-2A403D400E48}" = DesignPro 5.0 Media Edition
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Maximizer6.0" = Maximizer 6.0
"MDI (Microsoft Office Document Image) Viewer_is1" = MDI viewer 0.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notebook_Maximizer" = Notebook Maximizer
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Power Saver" = TOSHIBA Power Saver
"PROSet" = Intel® PRO Network Adapters and Drivers
"QcDrv" = Labtec® Camera Driver
"QuickPayroll" = QuickPayroll
"RealPlayer 6.0" = RealPlayer
"Registry Mechanic_is1" = Registry Mechanic 6.0
"RipIt4Me" = RipIt4Me
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TDspBtn" = TOSHIBA Display Devices Change Utility
"TFNF5" = TOSHIBA Hotkey Utility for Display Devices
"TOSHIBA Access" = TOSHIBA Access
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"TOSHIBA Utilities" = TOSHIBA Utilities
"TouchED" = TOSHIBA TouchPad On/Off Utility V2.05.00
"VCDS Release 10.6" = VCDS Release 10.6.5
"VCDS Release 805" = VCDS Release 805.4
"VCDS Release 908" = VCDS Release 908.2
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FileZilla Client" = FileZilla Client 3.0.11.1
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/14/2011 7:53:35 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": DBConnPool::HandleConnectionError
errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1003 from
function:'DBMgr::DBConnPool::ini

Error - 10/14/2011 7:53:55 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem
OpenDBSession[4] failed. Error code code 0, msg Succeed

Error - 10/14/2011 7:54:41 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": Connection
Error:Invalid user ID or passwo

Error - 10/14/2011 7:54:41 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": Connection
String:CON=QBConnectionPool-Probe-QB_data_engine_19; ;DBF=C:\Documents and Settings\All
Users\Documents\Intuit\QuickBooks\Company Files\Advantedge Tek.QBW;ENG=QB_data_engine_19;DBN=c5e1e8b95bae4f7c8719d90b7f3a0d

Error - 10/14/2011 7:54:41 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": DBConnPool::HandleConnectionError
errorCode:-6069, dbCode:-103 from file:'.\.\src\ConnPool.cpp' at line 1003 from
function:'DBMgr::DBConnPool::ini

Error - 10/14/2011 8:12:57 PM | Computer Name = TOUAREG | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks Pro 2009": An attempt
to LogOff without a logo

Error - 10/17/2011 10:28:54 AM | Computer Name = TOUAREG | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/19/2011 12:48:41 PM | Computer Name = TOUAREG | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/19/2011 12:50:19 PM | Computer Name = TOUAREG | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/19/2011 1:01:10 PM | Computer Name = TOUAREG | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

[ System Events ]
Error - 10/19/2011 9:04:16 PM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The BEATUSB.sys Eratech USB driver service failed to start due to
the following error: %%2

Error - 10/19/2011 9:04:16 PM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 10/19/2011 9:25:23 PM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The BEATUSB.sys Eratech USB driver service failed to start due to
the following error: %%2

Error - 10/19/2011 9:25:23 PM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2

Error - 10/19/2011 9:30:29 PM | Computer Name = TOUAREG | Source = PSched | ID = 14103
Description = QoS [Adapter {F9B3ED4A-D5E7-441C-A4CD-24EC56BD32D6}]: The netcard driver
failed the query for OID_GEN_LINK_SPEED.

Error - 10/19/2011 11:02:29 PM | Computer Name = TOUAREG | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 10/20/2011 12:47:58 AM | Computer Name = TOUAREG | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 10/20/2011 2:44:34 AM | Computer Name = TOUAREG | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 10/20/2011 10:52:27 AM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The BEATUSB.sys Eratech USB driver service failed to start due to
the following error: %%2

Error - 10/20/2011 10:52:27 AM | Computer Name = TOUAREG | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error: %%2


< End of report >

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 21 October 2011 - 04:27 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#6 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 21 October 2011 - 10:33 PM

Here is the contents of the aswMBR.txt file:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-21 22:44:01
-----------------------------
22:44:01.328 OS Version: Windows 5.1.2600 Service Pack 3
22:44:01.328 Number of processors: 1 586 0x209
22:44:01.328 ComputerName: TOUAREG UserName:
22:44:02.015 Initialize success
22:49:11.796 AVAST engine defs: 11102101
22:49:41.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:49:41.984 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
22:49:44.015 Disk 0 MBR read successfully
22:49:44.015 Disk 0 MBR scan
22:49:44.046 Disk 0 MBR:Alureon-I [Rtk]
22:49:44.062 Disk 0 TDL4@MBR code has been found
22:49:44.062 Disk 0 MBR hidden
22:49:44.062 Disk 0 MBR [TDL4] **ROOTKIT**
22:49:44.062 Disk 0 trace - called modules:
22:49:44.062 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a7a9ed1]<<
22:49:44.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a78cab8]
22:49:44.078 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a7a18b8]
22:49:44.078 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78ad98]
22:49:44.578 \Driver\atapi[0x8a7b7840] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a7a9ed1
22:49:45.000 AVAST engine scan C:\WINDOWS
22:50:23.156 AVAST engine scan C:\WINDOWS\system32
22:53:15.515 AVAST engine scan C:\WINDOWS\system32\drivers
22:53:37.203 AVAST engine scan C:\Documents and Settings\Seats4cars .com
23:22:23.953 AVAST engine scan C:\Documents and Settings\All Users
23:29:39.625 Scan finished successfully
23:30:30.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
23:30:30.796 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 22 October 2011 - 03:12 PM

Good evening. :)

Run aswMBR.exe again.

  • Click the Scan button as before.
  • Once the scan has completed, and let it complete first, either the Fix button or the FixMBR button should be active - click the one that isn't greyed out.
  • Once complete, click Save log as before, save it to your desktop and post in your next reply.

So long, and thanks for all the fish.

 

 


#8 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 23 October 2011 - 01:30 PM

Looks like it fixed something.

Here is the aswMBR.txt log file:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-21 22:44:01
-----------------------------
22:44:01.328 OS Version: Windows 5.1.2600 Service Pack 3
22:44:01.328 Number of processors: 1 586 0x209
22:44:01.328 ComputerName: TOUAREG UserName:
22:44:02.015 Initialize success
22:49:11.796 AVAST engine defs: 11102101
22:49:41.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:49:41.984 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
22:49:44.015 Disk 0 MBR read successfully
22:49:44.015 Disk 0 MBR scan
22:49:44.046 Disk 0 MBR:Alureon-I [Rtk]
22:49:44.062 Disk 0 TDL4@MBR code has been found
22:49:44.062 Disk 0 MBR hidden
22:49:44.062 Disk 0 MBR [TDL4] **ROOTKIT**
22:49:44.062 Disk 0 trace - called modules:
22:49:44.062 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a7a9ed1]<<
22:49:44.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a78cab8]
22:49:44.078 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a7a18b8]
22:49:44.078 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78ad98]
22:49:44.578 \Driver\atapi[0x8a7b7840] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a7a9ed1
22:49:45.000 AVAST engine scan C:\WINDOWS
22:50:23.156 AVAST engine scan C:\WINDOWS\system32
22:53:15.515 AVAST engine scan C:\WINDOWS\system32\drivers
22:53:37.203 AVAST engine scan C:\Documents and Settings\Seats4cars .com
23:22:23.953 AVAST engine scan C:\Documents and Settings\All Users
23:29:39.625 Scan finished successfully
23:30:30.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
23:30:30.796 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-23 13:24:16
-----------------------------
13:24:16.859 OS Version: Windows 5.1.2600 Service Pack 3
13:24:16.859 Number of processors: 1 586 0x209
13:24:16.859 ComputerName: TOUAREG UserName:
13:24:17.671 Initialize success
13:25:55.375 AVAST engine defs: 11102301
13:27:32.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:27:32.000 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
13:27:34.046 Disk 0 MBR read successfully
13:27:34.046 Disk 0 MBR scan
13:27:34.125 Disk 0 MBR:Alureon-I [Rtk]
13:27:34.125 Disk 0 TDL4@MBR code has been found
13:27:34.125 Disk 0 MBR hidden
13:27:34.125 Disk 0 MBR [TDL4] **ROOTKIT**
13:27:34.125 Disk 0 trace - called modules:
13:27:34.140 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a7a9ed1]<<
13:27:34.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a78cab8]
13:27:34.140 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a7a18b8]
13:27:34.140 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78ad98]
13:27:34.656 \Driver\atapi[0x8a7b7840] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a7a9ed1
13:27:35.390 AVAST engine scan C:\WINDOWS
13:28:12.890 AVAST engine scan C:\WINDOWS\system32
13:31:04.218 AVAST engine scan C:\WINDOWS\system32\drivers
13:31:24.687 AVAST engine scan C:\Documents and Settings\Seats4cars .com
13:58:43.562 AVAST engine scan C:\Documents and Settings\All Users
14:05:52.812 Scan finished successfully
14:06:19.265 Disk 0 MBR read successfully
14:06:19.281 Disk 0 MBR:Alureon-I [Rtk]
14:06:19.281 Disk 0 TDL4@MBR code has been found
14:06:19.281 Disk 0 fixing MBR ...
14:06:29.328 Disk 0 MBR restored successfully
14:06:29.343 Verifying disinfection
14:06:41.796 Infection fixed successfully - please reboot ASAP
14:06:57.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
14:06:57.859 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 23 October 2011 - 02:45 PM

Good evening. :)

Reboot the PC, if you haven't already and then pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#10 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 23 October 2011 - 07:59 PM

It found a threat. Here is the log file I saved from the ESET scan:

C:\Documents and Settings\Seats4cars .com\Application Data\FrostWire\.AppSpecialShare\frostwire-5.1.4.windows.exe Win32/OpenCandy application

PC seems to be running fine but I'm really not doing very much with it until I have it clean.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 24 October 2011 - 02:21 PM

Good evening. :)

The detection is one associated with the installation file of your Bit Torrent program. Such detections are not unknown: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Adware%3AWin32%2FOpenCandy

I'll leave you to decide if you still wish to keep the program - if not, you can uninstall it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If your anti-virus program is no longer reporting any issues, i'd say you were probably done. I'd like you run the |PC normally for a day or two and then run DDS and see if you can post the two logs that it produces.
Assuming all is well, there may be a few loose ends to tidy up, nothing more than good housekeeping, and that should be that.

So long, and thanks for all the fish.

 

 


#12 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 24 October 2011 - 03:20 PM

Thank you for your help.

I read the information from the link you provided and it seem harmless. I will leave it for now.

I have been using the PC heavily today and it seems to be running fine. I will run the DDS tonight and post the results after.

Thanks again!

#13 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 24 October 2011 - 07:03 PM

Tried to run the DDS program again (twice) and both times it starts to run, then after 3-4 minutes it freezes and I have to do a hard boot on the PC to restart.

No logs to post, sorry.

?

#14 carseats

carseats
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 24 October 2011 - 08:16 PM

Just for fun, I ran your aswMBR.exe program again and it found something else.

I am posting the contents of the log file below for your review.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-21 22:44:01
-----------------------------
22:44:01.328 OS Version: Windows 5.1.2600 Service Pack 3
22:44:01.328 Number of processors: 1 586 0x209
22:44:01.328 ComputerName: TOUAREG UserName:
22:44:02.015 Initialize success
22:49:11.796 AVAST engine defs: 11102101
22:49:41.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:49:41.984 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
22:49:44.015 Disk 0 MBR read successfully
22:49:44.015 Disk 0 MBR scan
22:49:44.046 Disk 0 MBR:Alureon-I [Rtk]
22:49:44.062 Disk 0 TDL4@MBR code has been found
22:49:44.062 Disk 0 MBR hidden
22:49:44.062 Disk 0 MBR [TDL4] **ROOTKIT**
22:49:44.062 Disk 0 trace - called modules:
22:49:44.062 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a7a9ed1]<<
22:49:44.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a78cab8]
22:49:44.078 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a7a18b8]
22:49:44.078 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78ad98]
22:49:44.578 \Driver\atapi[0x8a7b7840] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a7a9ed1
22:49:45.000 AVAST engine scan C:\WINDOWS
22:50:23.156 AVAST engine scan C:\WINDOWS\system32
22:53:15.515 AVAST engine scan C:\WINDOWS\system32\drivers
22:53:37.203 AVAST engine scan C:\Documents and Settings\Seats4cars .com
23:22:23.953 AVAST engine scan C:\Documents and Settings\All Users
23:29:39.625 Scan finished successfully
23:30:30.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
23:30:30.796 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-23 13:24:16
-----------------------------
13:24:16.859 OS Version: Windows 5.1.2600 Service Pack 3
13:24:16.859 Number of processors: 1 586 0x209
13:24:16.859 ComputerName: TOUAREG UserName:
13:24:17.671 Initialize success
13:25:55.375 AVAST engine defs: 11102301
13:27:32.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:27:32.000 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
13:27:34.046 Disk 0 MBR read successfully
13:27:34.046 Disk 0 MBR scan
13:27:34.125 Disk 0 MBR:Alureon-I [Rtk]
13:27:34.125 Disk 0 TDL4@MBR code has been found
13:27:34.125 Disk 0 MBR hidden
13:27:34.125 Disk 0 MBR [TDL4] **ROOTKIT**
13:27:34.125 Disk 0 trace - called modules:
13:27:34.140 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a7a9ed1]<<
13:27:34.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a78cab8]
13:27:34.140 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a7a18b8]
13:27:34.140 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a78ad98]
13:27:34.656 \Driver\atapi[0x8a7b7840] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a7a9ed1
13:27:35.390 AVAST engine scan C:\WINDOWS
13:28:12.890 AVAST engine scan C:\WINDOWS\system32
13:31:04.218 AVAST engine scan C:\WINDOWS\system32\drivers
13:31:24.687 AVAST engine scan C:\Documents and Settings\Seats4cars .com
13:58:43.562 AVAST engine scan C:\Documents and Settings\All Users
14:05:52.812 Scan finished successfully
14:06:19.265 Disk 0 MBR read successfully
14:06:19.281 Disk 0 MBR:Alureon-I [Rtk]
14:06:19.281 Disk 0 TDL4@MBR code has been found
14:06:19.281 Disk 0 fixing MBR ...
14:06:29.328 Disk 0 MBR restored successfully
14:06:29.343 Verifying disinfection
14:06:41.796 Infection fixed successfully - please reboot ASAP
14:06:57.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
14:06:57.859 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-24 20:05:07
-----------------------------
20:05:07.515 OS Version: Windows 5.1.2600 Service Pack 3
20:05:07.515 Number of processors: 1 586 0x209
20:05:07.515 ComputerName: TOUAREG UserName:
20:05:08.187 Initialize success
20:05:16.828 AVAST engine defs: 11102301
20:05:25.390 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:05:25.390 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
20:05:27.421 Disk 0 MBR read successfully
20:05:27.421 Disk 0 MBR scan
20:05:27.484 Disk 0 unknown MBR code
20:05:27.500 Disk 0 scanning sectors +117210240
20:05:27.765 Disk 0 scanning C:\WINDOWS\system32\drivers
20:05:45.359 Service scanning
20:05:46.906 Modules scanning
20:05:51.906 Disk 0 trace - called modules:
20:05:51.921 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:05:51.921 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a770ab8]
20:05:51.937 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a79ff18]
20:05:52.437 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7ead98]
20:05:53.015 AVAST engine scan C:\WINDOWS
20:06:30.750 AVAST engine scan C:\WINDOWS\system32
20:09:11.359 File: C:\WINDOWS\system32\winsrv.dll **INFECTED** Win32:Malware-gen
20:09:27.718 AVAST engine scan C:\WINDOWS\system32\drivers
20:09:49.937 AVAST engine scan C:\Documents and Settings\Seats4cars .com
20:41:34.562 AVAST engine scan C:\Documents and Settings\All Users
20:48:51.406 Scan finished successfully
21:10:40.515 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\MBR.dat"
21:10:40.515 The log file has been saved successfully to "C:\Documents and Settings\Seats4cars .com\Desktop\aswMBR.txt"

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:14 PM

Posted 25 October 2011 - 02:42 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users