Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 nietzscheme

nietzscheme

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:CA sometimes.
  • Local time:06:56 PM

Posted 30 May 2012 - 07:22 PM

Problem: When I finished scanning my mother's laptop with a brand new Trend Micro, it came up with 2 deleted files and 3 files it didn't know what to do with. When it asked me to restart, I pressed okay. It shut down, powered back on to the green bar of loading, then nothing but darkness. It was just a blank screen for hours.

I've tried Safe Mode, Safe Mode with Networking, Last Known Good Configuration. They all say consrv was not found on this blue sccreen with the code, C0000135. I've tried System Restore to an Earlier point of time. Managed to log in but now cannot access Windows Firewall, Windows Defender, Trend Micro, or even Itunes. Tried UnHackMe scan. Found Rootkit. And when I restart, it ends up with the same blank screen at the beginning.

The Laptop of Doom is 64-bit Vista with service pack 2 (and it hates me).

Please beat this laptop into submission.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Gabriella at 16:57:48 on 2012-05-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3998.1971 [GMT -7:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Outdated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Outdated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_7477fb4c\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_7477fb4c\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Windows\SysWOW64\SupportAppXL\cdrom_mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\SMINST\BLService.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msntask.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11g_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: MRI_DISABLED - No File
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRunOnce: [DCERegBootClean64] C:\Windows\RegBootClean64.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{C9447C8C-F24D-4A5C-BF06-22D92576110F} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{F1A502DB-4683-4CAF-8460-B08245BA7999} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
Notify: ulbrnii -
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: MRI_DISABLED - No File
BHO-X64: AcroIEHelperStub - No File
BHO-X64: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll
BHO-X64: Trend Micro NSC BHO - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO-X64: TmBpIeBHO - No File
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun-x64: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRunOnce-x64: [DCERegBootClean64] C:\Windows\RegBootClean64.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Gabriella\AppData\Roaming\Mozilla\Firefox\Profiles\99bhe1we.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/09 14:09:43];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
R2 tmevtmgr;tmevtmgr;C:\Windows\system32\DRIVERS\tmevtmgr.sys --> C:\Windows\system32\DRIVERS\tmevtmgr.sys [?]
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;C:\Windows\system32\DRIVERS\ewusbdev.sys --> C:\Windows\system32\DRIVERS\ewusbdev.sys [?]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw3v64.sys --> C:\Windows\system32\DRIVERS\NETw3v64.sys [?]
S3 NMgamingmsFltr;USB Optical Mouse;C:\Windows\system32\drivers\NMgamingms.sys --> C:\Windows\system32\drivers\NMgamingms.sys [?]
S3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\system32\DRIVERS\point64k.sys --> C:\Windows\system32\DRIVERS\point64k.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-05-30 23:17:18 128512 ----a-w- C:\Windows\RegBootClean64.exe
2012-05-30 23:15:58 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2012-05-30 22:55:49 -------- d-----w- C:\ProgramData\RegRun
2012-05-30 22:55:45 2 --shatr- C:\Windows\winstart.bat
2012-05-30 22:55:32 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-05-30 08:14:15 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-05-30 07:58:52 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar(226)
2012-05-30 07:58:52 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot(124)
2012-05-29 23:07:23 -------- d-s---w- C:\ComboFix
2012-05-29 18:18:07 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar(208)
2012-05-29 18:18:07 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot(121)
2012-05-28 21:11:58 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-05-26 02:07:12 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar(191)
2012-05-26 02:07:12 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot(104)
2012-05-25 04:59:38 -------- d-----w- C:\Program Files\iPod(200)
2012-05-25 04:59:35 -------- d-----w- C:\Program Files (x86)\iTunes(140)
2012-05-25 04:49:57 -------- d-----w- C:\Program Files (x86)\QuickTime(183)
2012-05-21 21:12:59 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar
.
==================== Find3M ====================
.
2012-03-20 13:29:09 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:59:15.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 03 June 2012 - 12:41 PM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.


It appears that your antivirus program removed the bad file (consrv.dll in your case), but that it didn't remove the registry entry that loads consrv.dll. OTL is a bit better than DDS for this particular virus, so we will need a new log.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 nietzscheme

nietzscheme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:CA sometimes.
  • Local time:06:56 PM

Posted 03 June 2012 - 06:29 PM

Hi, I did as you asked and got both the OTL and the GMER to scan the laptop. I just had a wee bit problem with GMER. On its main screen, a lot of the stuff it was supposed to scan for were grayed out: System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries.

I wasn't really sure what to do so I just scanned anyway.

(Thanks in advance! Since you're saving my bacon and stuff.)

Here it is:

GMER:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-03 16:25:19
Windows 6.0.6002 Service Pack 2
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???2?e??????X?x??????D???????????????????????????????????? ??????? ??????2???????2?????????????????s????Application Updater? (??Automatically downloads and installs application updates.????????????? ??????????? ?????????????6????????? ?5?????????????????????3?????????????CreateSession?H???\??\C:\Config.Msi\8a3eb.rbf???????\??\C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.old??\??\C:\Config.Msi\8a3eb.rbf??\??\C:\Config.Msi\8a3f6.rbf?????????#?2????????????4?? ?????????? ????? ????????? ??????????????????????????????? ??????????? ??????????? ??????????? ????????????????????????????????????? ??????? ????????? ????????????????????????????????????? ??????? ????????#?#???????????????t?????????? ??????????? ????????????????????????????????????? ????????????????????????????? ????????????????????????"?????????????????????????? ?????????????????????????9????? ??????????? ?????9????? ??????????? ??????? ??????????????????????2?#????????????4?? ?????????? ??????????????? ??????????????
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00218630b3c5
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00218630b3c5 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

OTL:

OTL logfile created on: 6/3/2012 3:06:08 PM - Run 1
OTL by OldTimer - Version 3.2.46.0 Folder = C:\Users\Gabriella\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.90 Gb Total Physical Memory | 2.05 Gb Available Physical Memory | 52.61% Memory free
7.98 Gb Paging File | 5.96 Gb Available in Paging File | 74.70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.72 Gb Total Space | 312.56 Gb Free Space | 69.19% Space Free | Partition Type: NTFS
Drive D: | 14.04 Gb Total Space | 2.13 Gb Free Space | 15.19% Space Free | Partition Type: NTFS

Computer Name: GABRIELA-PC | User Name: Gabriella | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/03 15:05:12 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Gabriella\Desktop\OTL.exe
PRC - [2012/05/25 15:21:44 | 000,992,648 | ---- | M] (Spigot, Inc.) -- C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
PRC - [2012/05/25 15:12:54 | 000,785,344 | ---- | M] (Spigot, Inc.) -- C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
PRC - [2012/05/04 13:17:40 | 000,595,216 | ---- | M] (Greatis Software) -- C:\Program Files (x86)\UnHackMe\hackmon.exe
PRC - [2012/03/20 06:29:09 | 000,250,528 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11g_ActiveX.exe
PRC - [2011/05/26 11:29:03 | 000,800,768 | ---- | M] (Yuna Software) -- C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
PRC - [2010/08/25 10:14:42 | 001,156,384 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2010/08/25 10:13:48 | 001,178,400 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
PRC - [2010/08/25 10:11:06 | 000,050,464 | ---- | M] (Intuit) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2009/05/08 17:32:38 | 000,206,120 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
PRC - [2008/12/25 13:41:20 | 000,189,736 | ---- | M] (CyberLink) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
PRC - [2008/12/25 13:41:16 | 001,316,136 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
PRC - [2008/12/23 17:18:20 | 000,365,952 | ---- | M] () -- C:\Program Files (x86)\SMINST\BLService.exe
PRC - [2008/11/28 18:04:26 | 001,148,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
PRC - [2008/11/26 17:13:08 | 000,296,320 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
PRC - [2008/11/26 17:13:08 | 000,116,096 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
PRC - [2008/11/25 12:58:39 | 000,081,920 | R--- | M] () -- C:\Windows\SysWOW64\SupportAppXL\cdrom_mon.exe
PRC - [2008/08/28 21:09:08 | 000,133,648 | ---- | M] (Microsoft Corp.) -- c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msntask.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/02 09:19:48 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\8b5f54e3b382fc1720c76557ef8c8bc3\System.Management.ni.dll
MOD - [2012/03/02 09:18:03 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\5c3bfd69e0c268baff0d169e11a6a784\System.Runtime.Remoting.ni.dll
MOD - [2012/03/02 09:18:01 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\0ef893bbf33d38a1f7a63b9cee2dabfe\System.Transactions.ni.dll
MOD - [2012/03/02 09:18:00 | 000,627,712 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a333ad288c1a4bbbba8f61249202bc1a\System.EnterpriseServices.ni.dll
MOD - [2012/03/02 09:18:00 | 000,280,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a333ad288c1a4bbbba8f61249202bc1a\System.EnterpriseServices.Wrapper.dll
MOD - [2012/03/02 09:17:51 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7fd6c62196829d1e2dce5a253145d51a\System.Configuration.ni.dll
MOD - [2012/02/21 07:57:40 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d9f0f1dc8cbdb81f1ba122d77a6ab710\System.Xml.ni.dll
MOD - [2012/02/21 07:55:42 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\65450889f3742aada2a6c0cf8e6173e3\System.Windows.Forms.ni.dll
MOD - [2012/02/21 07:55:21 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\137696d0416b65dbc1561152971488b4\System.Drawing.ni.dll
MOD - [2012/02/21 07:54:53 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\029217106fa24787ff7a61b754f8ebf7\System.Data.ni.dll
MOD - [2012/02/21 07:54:37 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\d48e106e015d0f8cb2d5295015cee508\PresentationFramework.Aero.ni.dll
MOD - [2012/02/21 07:54:35 | 014,328,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\56df3488472318c59d0a08ed10a065d3\PresentationFramework.ni.dll
MOD - [2012/02/19 10:31:11 | 012,216,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\3951e0a359c004cd6ba268ff78ac62aa\PresentationCore.ni.dll
MOD - [2012/02/19 10:30:30 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\1e258a951222c818540b33880ca45f2e\WindowsBase.ni.dll
MOD - [2012/02/19 10:30:15 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c50133cb67d7c013fa31e1ffb942060b\System.ni.dll
MOD - [2011/10/16 01:13:31 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/03/02 11:11:18 | 000,004,096 | ---- | M] () -- C:\Program Files (x86)\Yuna Software\Messenger Plus!\Detoured.dll
MOD - [2010/08/25 10:14:18 | 000,124,704 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\QBMAPILibrary.dll
MOD - [2010/08/25 10:14:16 | 000,020,256 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\QBCompressor.DLL
MOD - [2010/08/25 10:14:06 | 000,041,248 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\mbpopup.dll
MOD - [2010/08/25 10:13:56 | 000,268,064 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\boost_regex-vc90-mt-p-1_33.dll
MOD - [2010/08/25 10:13:56 | 000,175,904 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\boost_serialization-vc90-mt-p-1_33.dll
MOD - [2010/08/25 10:13:54 | 000,337,184 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\BackupLib.dll
MOD - [2009/04/10 23:28:24 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.dll
MOD - [2009/04/10 23:28:24 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll
MOD - [2009/04/10 23:28:22 | 000,368,640 | ---- | M] () -- C:\Windows\SysWOW64\msjetoledb40.dll
MOD - [2009/04/10 19:04:16 | 000,113,664 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
MOD - [2009/03/29 21:42:20 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2009/03/29 21:42:18 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2008/12/25 13:41:24 | 000,881,960 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMediaLibrary.dll
MOD - [2008/11/26 17:13:08 | 000,263,560 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\CLCapEngine.dll
MOD - [2008/11/26 17:13:08 | 000,124,288 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\CLSchMgr.dll
MOD - [2008/11/26 17:13:08 | 000,038,184 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\CLCapSvcps.dll
MOD - [2008/11/26 17:13:06 | 000,349,480 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\CLTinyDB.dll
MOD - [2008/11/25 16:29:56 | 000,034,088 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Shared files\richvideops.dll
MOD - [2008/11/18 12:03:14 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Content.XmlSerializers.dll
MOD - [2008/11/18 11:57:08 | 000,007,168 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2008/11/18 11:57:06 | 000,057,344 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2008/11/18 11:56:58 | 000,118,784 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\ECLibrary.dll
MOD - [2008/11/18 11:56:56 | 000,010,240 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2008/11/18 11:56:40 | 000,040,960 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2008/11/18 11:56:40 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingMessages.dll
MOD - [2008/11/18 11:56:40 | 000,005,632 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2007/08/14 13:59:54 | 006,365,184 | ---- | M] () -- C:\Program Files (x86)\Common Files\LightScribe\QtGui4.dll
MOD - [2007/07/12 13:55:52 | 000,131,072 | ---- | M] () -- C:\Program Files (x86)\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
MOD - [2007/07/12 13:55:28 | 001,581,056 | ---- | M] () -- C:\Program Files (x86)\Common Files\LightScribe\QtCore4.dll
MOD - [2005/07/19 23:18:00 | 000,059,904 | ---- | M] () -- C:\Program Files (x86)\Intuit\QuickBooks 2011\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe -- (Amsp)
SRV:64bit: - [2011/03/02 09:12:21 | 000,117,760 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\dnsrslvr.dll -- (Dnscache)
SRV:64bit: - [2009/01/28 06:15:24 | 000,290,304 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_7477fb4c\STacSV64.exe -- (STacSV)
SRV:64bit: - [2008/11/17 12:22:44 | 000,088,576 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_7477fb4c\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/03/18 16:25:40 | 000,023,040 | ---- | M] (Hewlett-Packard Corporation) [Auto | Running] -- C:\Windows\SysNative\Hpservice.exe -- (hpsrv)
SRV:64bit: - [2008/01/20 19:51:33 | 000,067,072 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\Mcx2Svc.dll -- (Mcx2Svc)
SRV:64bit: - [2008/01/20 19:48:26 | 000,088,064 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\mprdim.dll -- (RemoteAccess)
SRV - [2012/05/25 15:12:54 | 000,785,344 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2012/01/31 16:09:34 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2010/08/25 10:11:06 | 000,050,464 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2009/03/29 21:42:16 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/03/29 21:39:56 | 000,089,920 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2008/12/23 17:18:20 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/11/26 17:13:08 | 000,296,320 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe -- (TVCapSvc) TV Background Capture Service (TVBCS)
SRV - [2008/11/26 17:13:08 | 000,116,096 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe -- (TVSched) TV Task Scheduler (TVTS)
SRV - [2008/11/25 12:58:39 | 000,081,920 | R--- | M] () [Auto | Running] -- C:\Windows\SysWOW64\SupportAppXL\cdrom_mon.exe -- (Autorun CDROM Monitor)
SRV - [2008/01/20 19:49:09 | 000,068,608 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysWOW64\mprdim.dll -- (RemoteAccess)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/08/08 03:18:48 | 000,144,464 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\tmcomm.sys -- (tmcomm)
DRV:64bit: - [2010/08/08 03:18:48 | 000,105,552 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\tmtdi.sys -- (tmtdi)
DRV:64bit: - [2010/08/08 03:18:48 | 000,090,704 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\tmactmon.sys -- (tmactmon)
DRV:64bit: - [2010/08/08 03:18:48 | 000,067,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\tmevtmgr.sys -- (tmevtmgr)
DRV:64bit: - [2009/10/13 19:42:32 | 000,119,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV:64bit: - [2009/10/13 19:42:08 | 000,119,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV:64bit: - [2009/10/13 19:41:44 | 000,119,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV:64bit: - [2009/09/30 17:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/09/10 14:56:08 | 000,117,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV:64bit: - [2009/07/24 15:52:14 | 000,114,560 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ewusbdev.sys -- (hwusbdev)
DRV:64bit: - [2009/07/24 08:55:10 | 000,011,264 | ---- | M] (Primax Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NMgamingms.sys -- (NMgamingmsFltr)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/10 21:54:22 | 000,299,008 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\udfs.sys -- (udfs)
DRV:64bit: - [2009/01/28 06:16:06 | 000,473,088 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)
DRV:64bit: - [2008/12/30 05:18:40 | 000,068,608 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\enecir.sys -- (enecir)
DRV:64bit: - [2008/12/20 00:03:08 | 001,344,000 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\athrx.sys -- (athr)
DRV:64bit: - [2008/12/02 14:01:42 | 000,068,608 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTSTOR64.SYS -- (RTSTOR)
DRV:64bit: - [2008/11/10 13:26:30 | 000,184,832 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/10/28 01:33:30 | 008,039,808 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2008/09/21 22:49:58 | 000,126,464 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV:64bit: - [2008/09/18 10:08:04 | 000,260,144 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2008/03/27 12:10:56 | 000,026,984 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV:64bit: - [2008/03/27 12:10:14 | 000,040,296 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Accelerometer.sys -- (Accelerometer)
DRV:64bit: - [2008/01/20 19:51:07 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2008/01/20 19:49:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\ws2ifsl.sys -- (ws2ifsl)
DRV:64bit: - [2008/01/20 19:46:57 | 003,154,432 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\NETw3v64.sys -- (NETw3v64) Intel®
DRV:64bit: - [2008/01/20 19:46:55 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2008/01/20 19:46:52 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Dot4Scan.sys -- (Dot4Scan)
DRV:64bit: - [2007/06/18 17:13:12 | 000,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV:64bit: - [2006/11/08 00:27:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\point64k.sys -- (Point64)
DRV:64bit: - [2006/10/03 18:45:36 | 000,273,408 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)
DRV - [2012/05/30 15:55:46 | 000,035,816 | ---- | M] (Greatis Software) [Kernel | Boot | Unknown] -- C:\Windows\SysWOW64\drivers\Partizan.sys -- (Partizan)
DRV - [2008/11/28 18:04:24 | 000,146,928 | ---- | M] (CyberLink Corp.) [2009/08/09 14:09:43] [Kernel | Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl -- ({55662437-DA8C-40c0-AADA-2C816A897A49})


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {7EEAD0DA-121E-498E-B773-B8F0B4C4AAB1}
IE:64bit: - HKLM\..\SearchScopes\{7EEAD0DA-121E-498E-B773-B8F0B4C4AAB1}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
IE:64bit: - HKLM\..\SearchScopes\{B226DAE9-F4F6-41AA-9CD0-4000E7E09068}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKLM\..\SearchScopes,DefaultScope = {7EEAD0DA-121E-498E-B773-B8F0B4C4AAB1}
IE - HKLM\..\SearchScopes\{7EEAD0DA-121E-498E-B773-B8F0B4C4AAB1}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&FORM=HPNTDF
IE - HKLM\..\SearchScopes\{B226DAE9-F4F6-41AA-9CD0-4000E7E09068}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.8\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\SearchScopes,DefaultScope = {52E0B1FC-4736-42C1-BC9A-3EF26C9B5E74}
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\SearchScopes\{52E0B1FC-4736-42C1-BC9A-3EF26C9B5E74}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\SearchScopes\{54CFD50D-F79C-4A94-BF49-57E96C72A79B}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\SearchScopes\{7EEAD0DA-121E-498E-B773-B8F0B4C4AAB1}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\SearchScopes\{B226DAE9-F4F6-41AA-9CD0-4000E7E09068}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension\ [2012/06/03 15:53:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/30 15:37:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2011/04/15 21:48:52 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Gabriella\AppData\Roaming\Mozilla\Extensions
[2012/05/30 07:24:00 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Gabriella\AppData\Roaming\Mozilla\Firefox\Profiles\99bhe1we.default\extensions
[2012/02/02 23:12:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/02/02 23:12:21 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/06/03 15:05:27 | 000,000,000 | ---D | M] (Widgi Toolbar Platform) -- C:\PROGRAM FILES (X86)\COMMON FILES\SPIGOT\WTXPCOM
[2012/06/03 15:05:23 | 000,000,000 | ---D | M] (YouTube Downloader Toolbar) -- C:\PROGRAM FILES (X86)\YOUTUBE DOWNLOADER TOOLBAR\FF
[2011/09/17 20:09:43 | 000,011,510 | -H-- | M] () (No name found) -- C:\USERS\GABRIELLA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\99BHE1WE.DEFAULT\EXTENSIONS\YOUTUBE2MP3@MONDAYX.DE.XPI
[2009/09/06 07:48:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/07/08 00:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/05/24 21:46:18 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/05/24 21:46:18 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

Hosts file not found
O2:64bit: - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
O2:64bit: - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll (Trend Micro Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.8\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\5.8\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4:64bit: - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DVDAgent] C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [PlusService] C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe (Yuna Software)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKLM..\Run: [TSMAgent] C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [TVAgent] C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11g_ActiveX.exe (Adobe Systems, Inc.)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Bonjour\mdnsNSP.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C9447C8C-F24D-4A5C-BF06-22D92576110F}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F1A502DB-4683-4CAF-8460-B08245BA7999}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\intu-help-qb4 - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\qbwc - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe64.dll (Trend Micro Inc.)
O18:64bit: - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\intu-help-qb4 {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\1.5.1464\6.6.1079\TmIEPlg32.dll (Trend Micro Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ulbrnii: DllName - (C:\Windows\system32\config\systemprofile\AppData\Local\ulbrnii.dll) - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ulbrnii.dll ()
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0ac169b8-95e2-11e1-b17e-00235ab929eb}\Shell - "" = AutoRun
O33 - MountPoints2\{0ac169b8-95e2-11e1-b17e-00235ab929eb}\Shell\AutoRun\command - "" = G:\HPLauncher.exe
O33 - MountPoints2\{0ad29c2c-df12-11df-a876-00235ab929eb}\Shell - "" = AutoRun
O33 - MountPoints2\{0ad29c2c-df12-11df-a876-00235ab929eb}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{936a2425-22ad-11e0-a5e0-00235ab929eb}\Shell\AutoRun\command - "" = F:\Setup_FlipShare.exe
O33 - MountPoints2\{936a2425-22ad-11e0-a5e0-00235ab929eb}\Shell\Setup FlipShare\command - "" = F:\Setup_FlipShare.exe
O33 - MountPoints2\{e72d7856-d2be-11df-9071-00235ab929eb}\Shell - "" = AutoRun
O33 - MountPoints2\{e72d7856-d2be-11df-9071-00235ab929eb}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{e72d7883-d2be-11df-9071-00235ab929eb}\Shell - "" = AutoRun
O33 - MountPoints2\{e72d7883-d2be-11df-9071-00235ab929eb}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (Partizan)
O34 - HKLM BootExecute: (ootExecute settings...)
O34 - HKLM BootExecute: (s\Cu)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1610011482-1852693191-3528723387-1000\...exe [@ = exefile] -- Reg Error: Value error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=consrv:ConServerDllInitialization,2)


MsConfig:64bit - StartUpReg: IgfxTray - hkey= - key= - C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
MsConfig:64bit - StartUpReg: SmartMenu - hkey= - key= - File not found
MsConfig:64bit - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig:64bit - StartUpReg: SysTrayApp - hkey= - key= - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/03 15:05:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Application Updater
[2012/06/03 15:05:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Toolbar
[2012/06/03 15:05:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot
[2012/06/03 15:05:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/06/03 15:04:48 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Gabriella\Desktop\OTL.exe
[2012/06/03 14:56:53 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\RegRunInfo
[2012/05/30 16:15:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot(17)
[2012/05/30 15:55:49 | 000,000,000 | ---D | C] -- C:\ProgramData\RegRun
[2012/05/30 15:55:46 | 000,039,184 | ---- | C] (Greatis Software) -- C:\Windows\SysWow64\Partizan.exe
[2012/05/30 15:55:46 | 000,035,816 | ---- | C] (Greatis Software) -- C:\Windows\SysWow64\drivers\Partizan.sys
[2012/05/30 15:55:39 | 000,000,000 | ---D | C] -- C:\Users\Gabriella\Documents\RegRun2
[2012/05/30 15:55:37 | 000,012,800 | ---- | C] (Greatis Software, LLC.) -- C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
[2012/05/30 15:55:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
[2012/05/30 15:55:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UnHackMe
[2012/05/30 12:03:14 | 000,000,000 | ---D | C] -- C:\Users\Gabriella\Documents\Support-Tool-64-bit
[2012/05/30 10:16:12 | 000,000,000 | ---D | C] -- C:\Users\Gabriella\AppData\Roaming\InstallShield
[2012/05/30 01:14:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2012/05/30 00:58:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Toolbar(226)
[2012/05/30 00:58:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot(124)
[2012/05/29 16:07:23 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/05/29 16:07:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/29 11:18:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Toolbar(208)
[2012/05/29 11:18:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot(121)
[2012/05/28 14:11:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/05/25 19:07:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\YouTube Downloader Toolbar(191)
[2012/05/25 19:07:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Spigot(104)
[2012/05/24 21:59:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod(200)
[2012/05/24 21:59:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes(140)
[2012/05/24 21:49:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime(183)
[2012/05/24 21:46:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla

========== Files - Modified Within 30 Days ==========

[2012/06/03 15:21:01 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At80.job
[2012/06/03 15:21:01 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At32.job
[2012/06/03 15:21:01 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At79.job
[2012/06/03 15:21:01 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012/06/03 15:05:12 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Gabriella\Desktop\OTL.exe
[2012/06/03 15:02:05 | 000,719,100 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/03 15:02:05 | 000,616,164 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/03 15:02:05 | 000,108,172 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/03 14:56:24 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/03 14:56:24 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/03 14:56:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/30 16:55:48 | 000,000,000 | ---- | M] () -- C:\Users\Gabriella\defogger_reenable
[2012/05/30 15:55:46 | 000,039,184 | ---- | M] (Greatis Software) -- C:\Windows\SysWow64\Partizan.exe
[2012/05/30 15:55:46 | 000,035,816 | ---- | M] (Greatis Software) -- C:\Windows\SysWow64\drivers\Partizan.sys
[2012/05/30 15:55:45 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2012/05/30 15:55:45 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\CONFIG.NT
[2012/05/30 15:55:45 | 000,000,002 | RHS- | M] () -- C:\Windows\SysWow64\AUTOEXEC.NT
[2012/05/30 15:55:38 | 000,000,742 | ---- | M] () -- C:\Users\Gabriella\Desktop\UnHackMe.lnk
[2012/05/30 10:02:27 | 4193,210,368 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/29 16:03:06 | 000,006,756 | ---- | M] () -- C:\Users\Gabriella\AppData\Local\d3d9caps.dat
[2012/05/21 15:23:34 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/05/21 14:21:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012/05/21 14:20:59 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At78.job
[2012/05/21 14:20:59 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At30.job
[2012/05/21 14:20:59 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At77.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At8.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At76.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At74.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At72.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At70.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At68.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At66.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At64.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At62.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At60.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At58.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At56.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At28.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At26.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At24.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At22.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At20.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At18.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At16.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At14.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At12.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At10.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At75.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At73.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At71.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At69.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At67.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At65.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At63.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At61.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At59.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At57.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At55.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At96.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At94.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At92.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At90.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At88.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At86.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At84.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At82.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At6.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At52.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At50.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At48.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At40.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At4.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At38.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At36.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At34.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At95.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At93.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At91.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At89.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At87.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At85.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At83.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At81.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At53.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At51.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At49.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/05/18 03:00:13 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At54.job

========== Files Created - No Company Name ==========

[2012/05/30 16:55:48 | 000,000,000 | ---- | C] () -- C:\Users\Gabriella\defogger_reenable
[2012/05/30 15:55:45 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
[2012/05/30 15:55:45 | 000,000,002 | RHS- | C] () -- C:\Windows\SysWow64\CONFIG.NT
[2012/05/30 15:55:45 | 000,000,002 | RHS- | C] () -- C:\Windows\SysWow64\AUTOEXEC.NT
[2012/05/30 15:55:38 | 000,000,742 | ---- | C] () -- C:\Users\Gabriella\Desktop\UnHackMe.lnk
[2012/05/30 10:02:27 | 4193,210,368 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/01 21:25:08 | 000,000,200 | ---- | C] () -- C:\ProgramData\~qZrifprMzoEktWr
[2012/01/01 21:25:07 | 000,000,296 | ---- | C] () -- C:\ProgramData\~qZrifprMzoEktW
[2012/01/01 21:24:50 | 000,000,336 | ---- | C] () -- C:\ProgramData\qZrifprMzoEktW
[2011/12/16 09:27:58 | 000,000,001 | ---- | C] () -- C:\Windows\SysWow64\0fN4T6.com.b
[2011/12/16 09:17:09 | 000,000,112 | ---- | C] () -- C:\ProgramData\1BSanWX0.dat
[2011/12/11 14:58:22 | 000,010,208 | -HS- | C] () -- C:\Users\Gabriella\AppData\Local\5o42hc3l58u034
[2011/12/11 14:58:22 | 000,010,208 | -HS- | C] () -- C:\ProgramData\5o42hc3l58u034
[2011/12/03 21:38:50 | 000,000,252 | -H-- | C] () -- C:\Users\Gabriella\AppData\Roaming\wklnhst.dat
[2011/06/21 07:58:42 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2010/06/25 08:43:32 | 000,006,756 | ---- | C] () -- C:\Users\Gabriella\AppData\Local\d3d9caps.dat

========== LOP Check ==========

[2010/12/29 19:27:51 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\AppData\Roaming\.minecraft
[2011/05/30 03:57:09 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\AppData\Roaming\BitTorrent
[2011/12/03 21:38:56 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\AppData\Roaming\Template
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At10.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At11.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At12.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At13.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At14.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At15.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At16.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At17.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At18.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At19.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At20.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At21.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At22.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At23.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At24.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At25.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At26.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At27.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At28.job
[2012/05/21 14:21:00 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At29.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2012/05/21 14:20:59 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At30.job
[2012/06/03 15:21:01 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At31.job
[2012/06/03 15:21:01 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At32.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At33.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At34.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At35.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At36.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At37.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At38.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At39.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At4.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At40.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At41.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At42.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At43.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At44.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At45.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At46.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At47.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At48.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At49.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At5.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At50.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At51.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At52.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At53.job
[2012/05/18 03:00:13 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At54.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At55.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At56.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At57.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At58.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At59.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At6.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At60.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At61.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At62.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At63.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At64.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At65.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At66.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At67.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At68.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At69.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At7.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At70.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At71.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At72.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At73.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At74.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At75.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At76.job
[2012/05/21 14:20:59 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At77.job
[2012/05/21 14:20:59 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At78.job
[2012/06/03 15:21:01 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At79.job
[2012/05/21 14:06:19 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At8.job
[2012/06/03 15:21:01 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At80.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At81.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At82.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At83.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At84.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At85.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At86.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At87.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At88.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At89.job
[2012/05/21 14:06:19 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At9.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At90.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At91.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At92.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At93.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At94.job
[2012/05/21 03:00:12 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At95.job
[2012/05/21 03:00:12 | 000,000,348 | ---- | M] () -- C:\Windows\Tasks\At96.job
[2012/05/21 15:23:34 | 000,032,572 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/04/10 23:36:38 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2011/08/19 01:41:53 | 000,007,807 | ---- | M] () -- C:\debug1214.txt
[2012/05/30 10:02:27 | 4193,210,368 | -HS- | M] () -- C:\hiberfil.sys
[2006/12/02 00:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2012/06/03 14:55:38 | 211,832,831 | -HS- | M] () -- C:\pagefile.sys
[2012/05/30 10:18:58 | 000,000,184 | ---- | M] () -- C:\setup.log
[2009/08/24 17:10:06 | 000,000,000 | ---- | M] () -- C:\Updates.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.sys /90 >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\* >
[2008/01/20 20:21:59 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

< %USERPROFILE%\..|smtmp;true;true;true /FP >
[2012/01/01 21:20:59 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\..\Gabriella\AppData\Local\Temp\smtmp
[2012/01/01 21:20:59 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\..\Gabriella\AppData\Local\Temp\smtmp\1
[2012/01/01 21:20:59 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\..\Gabriella\AppData\Local\Temp\smtmp\2
[2012/01/01 23:04:29 | 000,000,000 | -H-D | M] -- C:\Users\Gabriella\..\Gabriella\AppData\Local\Temp\smtmp\4

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/07/08 00:16:28 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/07/08 00:16:28 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/07/08 00:16:28 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -preferences [2011/07/08 00:16:28 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe -safe-mode
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -hide [2011/05/19 19:05:39 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -show [2011/05/19 19:05:39 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -reinstall [2011/05/19 19:05:39 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2011/05/19 19:05:41 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2011/05/19 19:05:26 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2011/05/19 19:05:26 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2011/05/19 19:05:26 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2011/05/19 19:05:41 | 000,748,336 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE [2011/05/19 19:05:41 | 000,748,336 | ---- | M] (Microsoft Corporation)

< >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\system64] -> \systemroot\system32 -> Mount Point

< End of report >

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 03 June 2012 - 07:42 PM

Hello, nietzscheme.
Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.
P2P Warning and Request
The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case BitTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. I recommend that you uninstall this program. That is optional, however. If you decide to not uninstall, please refrain from using it until I let you know your computer is clean.



Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 nietzscheme

nietzscheme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:CA sometimes.
  • Local time:06:56 PM

Posted 03 June 2012 - 08:13 PM

Before I choose what to do, can I ask a couple of things?

Will the laptop be completely secure if I do a complete reformat and reinstall of the OS? Or do you think I could just take this laptop to the Virus and Spyware Removal Service at Trend? Or is it better/cheaper/easier/safer to just replace the laptop?

Can this virus steal passwords while I type them? Or does it just steal the passwords saved on the browser? And what do you mean by critical system information? What does the virus steal exactly?

If I had plugged a memory stick into this laptop, will the memory stick also be infected? And could it possibly infect another laptop? What about data saved on cds? I had back-ups of photos on cds, will the cds be also infected?

And in the future, how can I protect my mom's laptop from backdoor trojans and rootkit infections like this?

My mother isn't really a millionaire and doesn't have any sensitive information on the laptop other than her passwords. So, I'm not really sure what to do.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 04 June 2012 - 07:17 PM

Hi nietzscheme-

Yes, if you reformat and reinstall, the computer is guaranteed to be 100% clean...until you plug in a flash drive or plug into the internet. There is no need to replace the physical laptop, the hardware is fine, it's just the operating system that is compromised. A full reformat and reinstall would wipe it.

A backdoor is an opening that the virus author or user can use to control your system. IN some cases, it would be like they are sitting at your computer and can access files, passwords, etc.

The memory stick could be infected. We can scan it if you'd like. Flash drive infections are much simpler as they can only carry trojans not active viruses and we can disable their ability to jump to another computer. Data on CDs could be infected; but we can scan them. I think that photos are unlikely to be infected and we can easily confirm.

You can protect the computer by ensuring you are running 1 firewall, 1 antivirus and 1 antimalware program. You want one of each, but no more than 1 in each category. Even with that....new viruses come out all the time and you can get infected. The best protection is behavior...don't click unknown links, don't open unknown files, don't download via torrents, etc.

It's up to you what to do. I would change passwords to email, credit card websites, bank websites, etc, from another computer that is not infected. Then, it's up to you if you prefer to format or try and clean this. I can only tell you the facts, the choice is up to you.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 nietzscheme

nietzscheme
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:CA sometimes.
  • Local time:06:56 PM

Posted 04 June 2012 - 09:49 PM

I think I'll just do a complete reformat and reinstall.

But could you tell me how to scan and clean the flash drives and the cds? And how would I check if my laptop got infected via flash drive? My laptop's working fine and the Trend scan didn't come up with anything...

One last thing, there's the Windows Firewall, the Trend Anti-virus, but what's a good antimalware program?

Anyway, thanks for the advice.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 05 June 2012 - 07:36 PM

OK, from a clean computer open My Computer to see all your drives (e.g. C:\ and D:\). You'll want to insert the CD or flash drive. Before you plug it in, hold down SHIFT. Keep holding it down until your CD or USB flash drive is recognized by windows and shows up in the My Computer window. THen, you can let go of SHIFT. Holding it down disables autorun so nothing can launch. Once it's recognized and you let go, launch your antivirus, ensure the definitions are up to date and run a scan of the CDs and flash drives. Let it remove anything it finds. With a CD, if it's permanently written, you can't delete/quarantine files, so you can't fix it. You will have to manually ensure you copy every file but the infected ones. Hopefully nothing will be found.

For antimalware, I use the free (not the trial version, but the free version) of Malwarebytes' Anti-Malware (MBAM). MBAM is free for home use, but the free version means you'll have to run a manual scan every week or so. If you pay for hte full version, you can run it in real time protection mode alongside your antivirus.

I hope that helps.

Good luck, and let me know if you have any other questions.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 30 June 2012 - 08:00 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users