Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blinking cursor and thats it!


  • Please log in to reply
18 replies to this topic

#1 pithblitz

pithblitz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 07 November 2012 - 11:24 AM

After being infected by some nasty malware, my computer now will not boot. I cannot even try to access F8 options. After the BIOS splash screen, all there is is a black screen with the lone blinking cursor. I docked the HDD and ran Malwarebytes, which removed a couple things, hoping removing the malware would help. Unfortunately no, and I am at my wits end! Any help would be greatly appreciated! Thanx

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 08 November 2012 - 05:52 PM

Hello pithblitz :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:

First, which operating system are you using?

If the answer is Windows XP, do you have your Windows XP installation CD or a Windows XP Recovery Console CD?

__

If the answer is Windows Vista, 7, or 8, try the following:

Posted Image Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please post the contents of this log into your next message.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:38 AM

Posted 08 November 2012 - 08:43 PM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 09 November 2012 - 09:35 AM

Thank you for the help, I'm running Vista as you will see by the log. Which is.... here! :)

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-11-2012
Ran by SYSTEM at 09-11-2012 09:29:27
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe [118784 2006-11-13] (Alps Electric Co., Ltd.)
HKLM\...\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe" [411768 2007-02-07] (Sony Corporation)
HKLM\...\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [321656 2007-01-22] (Sony Corporation)
HKLM\...\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray [x]
HKLM\...\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [36864 2007-03-06] (Sony Electronics, Inc.)
HKLM\...\Run: [QuickBooks Simple Start] "C:\Program Files\Intuit\SimpleStartEntice\entice.exe" [371712 2007-01-30] ()
HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1188348075\ee\AOLSoftware.exe [41800 2010-03-07] (AOL Inc.)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [439568 2010-05-10] (Microsoft Corporation)
HKLM\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1318816 2012-03-21] (McAfee, Inc.)
HKLM\...\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1466760 2012-06-04] (Garmin)
HKLM\...\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" [947808 2012-10-07] ()
HKLM\...\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [856160 2012-10-07] ()
HKU\Alice\...\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun [1233920 2009-04-10] (Microsoft Corporation)
HKU\Alice\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [171448 2008-03-28] (Google Inc.)
HKU\Alice\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Alice\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [17420464 2012-07-13] (Skype Technologies S.A.)
HKU\Alice\...\Run: [OfmjqCWuEg.exe] C:\ProgramData\OfmjqCWuEg.exe [x]
HKU\Alice\...\Run: [VlJCNmmHFLAE7Y] C:\ProgramData\VlJCNmmHFLAE7Y.exe [x]
Winlogon\Notify\VESWinlogon: VESWinlogon.dll (Sony Corporation)
Tcpip\..\Interfaces\{A6D36191-18FF-4761-ADD0-59AE9F509F31}: [NameServer]205.188.146.145
Startup: C:\Users\Alice\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC)
2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
3 FDDService; C:\Windows\System32\FDDSER~1.EXE [69632 2007-03-29] ()
3 ICScsiSV; C:\Program Files\Sony\Image Converter 3\ICScsiSV.exe [75952 2007-01-26] (Sony Corporation)
3 IcVzMonLauncher; "C:\Program Files\Sony\Image Converter 3\IcVzMonLauncher.exe" [67760 2007-01-26] (Sony Corporation)
4 Image Converter video recording monitor for VAIO Entertainment; C:\Program Files\Sony\Image Converter 3\IcVzMon.exe [43184 2007-01-26] (Sony Corporation)
2 ioloSystemService; "C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe" [1028464 2012-10-03] (iolo technologies, LLC)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
4 McComponentHostService; "C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe" [237008 2011-06-17] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [362008 2012-08-23] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2012-03-20] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [161632 2012-03-20] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151880 2012-03-20] (McAfee, Inc.)
3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [45056 2006-12-14] (Sony Corporation)
2 MSSQL$VAIO_VEDB; "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVAIO_VEDB [29293408 2010-12-10] (Microsoft Corporation)
3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-12-14] ()
2 QBCFMonitorService; "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe" [20480 2006-11-28] ( )
3 SonicStage Back-End Service; "C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe" [112184 2007-01-24] (Sony Corporation)
3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation)
3 SSScsiSV; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [75320 2007-01-24] (Sony Corporation)
2 UniversalCommunicationServer; "C:\Program Files\BERNINA\UCS\UniversalCommunicationServer.exe" [90112 2008-10-29] (FGAG)
3 VAIO Entertainment TV Device Arbitration Service; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe" [73728 2007-01-10] (Sony Corporation)
2 VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [182392 2007-02-13] (Sony Corporation)
2 VAIOMediaPlatform-IntegratedServer-AppServer; C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe [2523136 2007-01-16] (Sony Corporation)
2 VAIOMediaPlatform-IntegratedServer-UPnP; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [1089536 2007-01-16] (Sony Corporation)
3 VAIOMediaPlatform-UCLS-AppServer; C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [745472 2007-01-10] (Sony Corporation)
3 VAIOMediaPlatform-UCLS-UPnP; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [1089536 2007-01-16] (Sony Corporation)
3 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM [274432 2006-11-28] (Sony Corporation)
2 vToolbarUpdater12.2.6; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-10-07] ()
2 VzCdbSvc; "C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe" [172032 2006-11-28] (Sony Corporation)
2 VzFw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [135168 2006-11-28] (Sony Corporation)
2 PSI_SVC_2; "c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [x]
2 VAIOMediaPlatform-IntegratedServer-HTTP; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP" [x]
3 VAIOMediaPlatform-Mobile-Gateway; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server" [x]
3 VAIOMediaPlatform-UCLS-HTTP; "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" [x]

==================== Drivers (Whitelisted) ====================

2 aksfridge; C:\Windows\System32\DRIVERS\aksfridge.sys [352256 2009-01-16] (Aladdin Knowledge Systems Ltd.)
3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [238208 2009-02-03] (Aladdin Knowledge Systems Ltd.)
3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [46336 2007-07-23] (Aladdin Knowledge Systems Ltd.)
3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [20480 2009-01-28] (Aladdin Knowledge Systems Ltd.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [27496 2012-10-07] (AVG Technologies)
1 Cdr4_xp; C:\Windows\System32\Drivers\Cdr4_xp.sys [9336 2007-03-15] (Sonic Solutions)
1 Cdralw2k; C:\Windows\System32\Drivers\Cdralw2k.sys [9464 2007-03-15] (Sonic Solutions)
3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2012-02-22] (McAfee, Inc.)
1 ElRawDisk; \??\C:\Windows\system32\drivers\ElRawDsk.sys [27080 2012-04-17] (EldoS Corporation)
2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [586752 2009-02-03] (Aladdin Knowledge Systems Ltd.)
3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-22] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [340920 2012-02-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-22] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-22] (McAfee, Inc.)
2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-08-02] (Raxco Software, Inc.)
3 R5U870FLx86; C:\Windows\System32\Drivers\R5U870FLx86.sys [74240 2007-03-15] (Ricoh)
3 R5U870FUx86; C:\Windows\System32\Drivers\R5U870FUx86.sys [43904 2007-03-15] (Ricoh)
3 SNC; C:\Windows\System32\Drivers\SonyNC.sys [27520 2007-01-31] (Sony Corporation)
3 SonyImgF; C:\Windows\System32\DRIVERS\SonyImgF.sys [30976 2007-03-19] (Sony Corporation)
3 STHDA; C:\Windows\System32\drivers\stwrt.sys [323584 2007-03-18] (SigmaTel, Inc.)
3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [807424 2007-02-08] (Texas Instruments)
3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
4 blbdrive; [x]
3 IpInIp; [x]
3 mfeavfk01; [x]
3 NwlnkFlt; [x]
3 NwlnkFwd; [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-11-07 14:04 - 2012-11-07 14:04 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-11-07 10:50 - 2012-11-07 10:50 - 00000000 ____D C:\FRST
2012-11-06 14:33 - 2012-11-06 14:33 - 00000000 __SHD C:\found.000
2012-11-05 13:43 - 2012-11-05 13:43 - 304707946 ____A C:\Windows\MEMORY.DMP
2012-11-05 13:43 - 2012-11-05 13:43 - 00138352 ____A C:\Windows\Minidump\Mini110512-01.dmp
2012-11-05 10:33 - 2012-11-05 10:33 - 00000605 ____A C:\Users\Alice\Desktop\File_Restore.lnk

==================== One Month Modified Files and Folders ========

2012-11-07 14:04 - 2012-11-07 14:04 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-11-07 10:50 - 2012-11-07 10:50 - 00000000 ____D C:\FRST
2012-11-06 14:33 - 2012-11-06 14:33 - 00000000 __SHD C:\found.000
2012-11-06 07:12 - 2006-11-02 05:01 - 00032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-06 07:12 - 2006-11-02 05:01 - 00000006 ____A C:\Windows\Tasks\SA.DAT
2012-11-06 07:12 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-06 07:12 - 2006-11-02 04:47 - 00003568 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-06 07:08 - 2010-05-28 08:40 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-11-05 15:04 - 2010-05-28 08:40 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-11-05 15:00 - 2012-04-05 19:30 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-11-05 14:44 - 2006-11-02 02:33 - 00783082 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-05 14:38 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2012-11-05 13:43 - 2012-11-05 13:43 - 304707946 ____A C:\Windows\MEMORY.DMP
2012-11-05 13:43 - 2012-11-05 13:43 - 00138352 ____A C:\Windows\Minidump\Mini110512-01.dmp
2012-11-05 13:43 - 2007-12-07 15:44 - 00000000 ____D C:\Windows\Minidump
2012-11-05 12:05 - 2011-10-10 12:59 - 00000000 ____D C:\Users\Alice\AppData\Roaming\Skype
2012-11-05 12:01 - 2012-06-27 08:38 - 00063776 ____A C:\Windows\PFRO.log
2012-11-05 10:45 - 2007-08-28 15:57 - 01573209 ____A C:\Windows\WindowsUpdate.log
2012-11-05 10:33 - 2012-11-05 10:33 - 00000605 ____A C:\Users\Alice\Desktop\File_Restore.lnk
2012-11-03 07:45 - 2008-11-03 09:34 - 00000402 ____A C:\Windows\Tasks\ErrorSmart Scheduled Scan.job
2012-10-10 13:07 - 2010-05-28 08:42 - 00001931 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-10-10 06:24 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2012-10-10 05:34 - 2006-11-02 02:24 - 62968832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-10-10 05:30 - 2007-04-02 10:58 - 00000000 ____D C:\Program Files\InstallShield Installation Information

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2037.81 MB
Available physical RAM: 1627.54 MB
Total Pagefile: 1854.13 MB
Available Pagefile: 1705.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1982.35 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:179.32 GB) (Free:126.92 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:6.99 GB) (Free:0.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:14.9 GB) (Free:13.3 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 993 KB
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 7160 MB 1024 KB
Partition 2 Primary 179 GB 7161 MB
Partition 3 Primary 1016 KB 186 GB

=========================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 7160 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 179 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 16 KB

=========================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT32 Removable 15 GB Healthy

=========================================================

Last Boot: 2012-11-05 14:52

==================== End Of Log ============================

#5 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 09 November 2012 - 03:14 PM

We need to perform an additional scan while you are in the Recovery Environment (just like you did with FRST).

  • Download ListParts to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Post me the Result.txt log please.
[/list]

#6 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 12 November 2012 - 09:30 AM

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 12-11-2012 at 09:23:01
Windows Vista (X86)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 2037.81 MB
Available physical RAM: 1740.37 MB
Total Pagefile: 1854.13 MB
Available Pagefile: 1733.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:179.32 GB) (Free:126.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:6.99 GB) (Free:0.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:14.9 GB) (Free:13.3 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 993 KB
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 7160 MB 1024 KB
Partition 2 Primary 179 GB 7161 MB
Partition 3 Primary 1016 KB 186 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 7160 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 179 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 F FAT32 Removable 15 GB Healthy

======================================================================================================

****** End Of Log ******

#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 12 November 2012 - 02:41 PM

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine can be disastrous to your operating system

Attached is:Attached File  fix.txt   81bytes   11 downloads
Save this file to your flash drive.
You should now have both fix.txt and ListParts.exe on the flash drive.
Now insert the flash drive into the infected computer.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:\listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will be saved to the flash drive.
[*]Close the command window.
[*]Attempt to boot normally and post me the Result.txt log please.
[/list]

Edited by thisisu, 12 November 2012 - 02:43 PM.


#8 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 12 November 2012 - 03:41 PM

Successful boot! Here's the log as well.

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 12-11-2012 at 15:36:46
Windows Vista (X86)
Running From: F:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 2037.81 MB
Available physical RAM: 1737.6 MB
Total Pagefile: 1854.13 MB
Available Pagefile: 1732.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:179.32 GB) (Free:126.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:6.99 GB) (Free:0.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:14.9 GB) (Free:13.3 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 993 KB
Disk 1 Online 15 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 7160 MB 1024 KB
Partition 2 Primary 179 GB 7161 MB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 7160 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 179 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 15 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F FAT32 Removable 15 GB Healthy

======================================================================================================

****** End Of Log ******

#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 12 November 2012 - 03:50 PM

Great :thumbup2:

__

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.
Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

#10 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 12 November 2012 - 06:52 PM

Moving along great! Here's the two you asked for....

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.12.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Alice :: ALICE-PC [administrator]

11/12/2012 5:56:50 PM
mbar-log-2012-11-12 (17-56-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 29765
Time elapsed: 1 hour(s), 17 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} (Search.Hijacker) -> Delete on reboot. [9b0092231d40181e60434cee6a98f907]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034A523-D068-4BE8-A284-9DF278BE776E} (Trojan.Zlob) -> Delete on reboot. [cfcc6e473f1ea4926262db6e0200f808]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} (Trojan.Zlob) -> Delete on reboot. [cfcc6e473f1ea4926262db6e0200f808]
HKCR\multimediaControls.chl (Trojan.Zlob) -> Delete on reboot. [dcbf585d114c5fd7833c9544e51dbf41]
HKCU\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> Delete on reboot. [c1da595c0d50979f01eab12b18eabd43]

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securewebinfo.com (Trojan.Zlob) -> Data: -> Delete on reboot. [8a11556083da7abc2724637be81a1be5]
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.safetyincludes.com (Trojan.Zlob) -> Data: -> Delete on reboot. [c4d7b6ff3b220b2b87c2cb1306fc1de3]
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securemanaging.com (Trojan.Zlob) -> Data: -> Delete on reboot. [4b50189dc796979fb2981ec0e81af709]

Registry Data Items Detected: 18
HKCU\SOFTWARE\Microsoft\Internet Explorer|SearchURL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [c9d2a2138ad366d0a1886eb14fb5da26]
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [6c2f466f78e5a6903ad597880cf830d0]
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.Google.com/) -> Delete on reboot. [84179b1a4a13d85e09fabe61eb19ad53]
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Delete on reboot. [356695205ffe90a6aa6e74abc04452ae]
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [4f4c783d2d30f04647b2b36b877dc937]
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|SearchAssistant (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [75263e77c09d191d75aaf12e8a7a639d]
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.Google.com/) -> Delete on reboot. [118a575edb82fc3a3bea28f7986ccb35]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Delete on reboot. [58430fa686d7d165e212c15e3bc90cf4]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Delete on reboot. [4457b00565f87eb81cdbe03f0ff53ac6]
HKLM\SOFTWARE\Microsoft\Internet Explorer|SearchURL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [4c4f9a1b5508290df26371ae1ee620e0]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [a2f96a4be57868ce5bd7100f1ee63bc5]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [c4d774412f2e6ec8350dc659ec18a25e]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Delete on reboot. [19827540adb0979fd177d04f8b790000]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.Google.com/) -> Delete on reboot. [673415a0b1ac0f274fe843dc42c2bb45]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search|SearchAssistant (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com) Good: (http://www.Google.com/) -> Delete on reboot. [dcbf7c3945181620e569928d02029868]
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| (Hijack.SearchPage) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.Google.com/) -> Delete on reboot. [415a3d789ebfe650aaa9d14e9f65629e]
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Delete on reboot. [ffffffffffffffffffffffffffffffff]
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Delete on reboot. [ffffffffffffffffffffffffffffffff]

Folders Detected: 4
C:\Users\Alice\AppData\Roaming\ErrorSmart (Rogue.ErrorSmart) -> Delete on reboot. [84173c798ecff83efd2fc28bd82a1ae6]
C:\Users\Alice\AppData\Roaming\ErrorSmart\Log (Rogue.ErrorSmart) -> Delete on reboot. [84173c798ecff83efd2fc28bd82a1ae6]
C:\Users\Alice\AppData\Roaming\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> Delete on reboot. [84173c798ecff83efd2fc28bd82a1ae6]
C:\Windows\System32\512686 (Trojan.BHO) -> Delete on reboot. [debdc7ee4716e056958b83d454aecb35]

Files Detected: 15
C:\Users\Alice\Favorites\Antivirus Scan.url (Rogue.Link) -> Delete on reboot. [b5e64471c29bc4726acc276e51b1cd33]
C:\Users\Alice\Documents\My Music\My Music.url (Trojan.Zlob) -> Delete on reboot. [0893d9dc8cd191a57f2c068f6a9807f9]
C:\Users\Alice\Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Delete on reboot. [bae12b8ab4a94aec10a4c3d2936fe719]
C:\Users\Alice\Documents\My Videos\My Video.url (Trojan.Zlob) -> Delete on reboot. [3a61ddd8ff5e0b2b16a7a8edcf337c84]
C:\Program Files\Applications\myd.ico (Trojan.Zlob) -> Delete on reboot. [0596a60f87d632045e19276f0ff30df3]
C:\Program Files\Applications\mym.ico (Trojan.Zlob) -> Delete on reboot. [4259b302d489ed49bbbde2b4b949fe02]
C:\Program Files\Applications\myp.ico (Trojan.Zlob) -> Delete on reboot. [316ae4d16af3ee483445b5e1b9492fd1]
C:\Program Files\Applications\myv.ico (Trojan.Zlob) -> Delete on reboot. [b7e48a2bc4991521a4d68f0734cee21e]
C:\Program Files\Applications\ot.ico (Trojan.Zlob) -> Delete on reboot. [a4f76e47362721156912d9bdd72bb54b]
C:\Program Files\Applications\ts.ico (Trojan.Zlob) -> Delete on reboot. [9b005d588bd2cf67a2da10869e64c43c]
C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Delete on reboot. [a9f28134164789ade67c2c7b4cb6847c]
C:\ProgramData\Microsoft\Windows\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Delete on reboot. [bedd9b1a4e0f96a015a3792eb34f847c]
C:\Windows\Tasks\ErrorSmart Scheduled Scan.job (Rogue.ErrorSmart) -> Delete on reboot. [801bd9dce37a62d4d30125af42c07888]
C:\Users\Alice\AppData\Roaming\ErrorSmart\Log\2008 Nov 03 - 12_34_08 PM_324.log (Rogue.ErrorSmart) -> Delete on reboot. [84173c798ecff83efd2fc28bd82a1ae6]
C:\Users\Alice\AppData\Roaming\ErrorSmart\Registry Backups\2008-11-03_12-35-45.reg (Rogue.ErrorSmart) -> Delete on reboot. [84173c798ecff83efd2fc28bd82a1ae6]

(end)
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2136678400, free: 647049216

------------ Kernel report ------------
11/12/2012 16:30:11
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\pcmcia.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\yk60x86.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\drivers\ti21sony.sys
\SystemRoot\System32\Drivers\SonyNC.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\SonyImgF.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\wanatw4.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\stwrt.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSXHWAZL.sys
\SystemRoot\system32\DRIVERS\HSX_DPV.sys
\SystemRoot\system32\DRIVERS\HSX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\Cdr4_xp.SYS
\SystemRoot\System32\Drivers\Cdralw2k.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\Windows\system32\drivers\avgtpx86.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\mfenlfk.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\Windows\system32\drivers\ElRawDsk.sys
\SystemRoot\System32\Drivers\R5U870FLx86.sys
\SystemRoot\system32\DRIVERS\DMICall.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\R5U870FUx86.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\PDFsFilter.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\aksfridge.sys
\SystemRoot\system32\drivers\hardlock.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\system32\drivers\regi.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\xaudio.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\system32\DRIVERS\NETw4v32.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\mfebopk.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\drivers\mferkdet.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8cc5a7e0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xffffffff8cc53c60
Lower Device Driver Name: \Driver\ti21sony\
Driver name found: ti21sony
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8cce48c0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff8cc5f628
Lower Device Driver Name: \Driver\ti21sony\
Driver name found: ti21sony
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff86ab4ac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff85f0b030
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Host not found
Host not found
Downloaded database version: v2012.11.12.07
Downloaded database version: v2012.11.09.02
Initializing...
Done!
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86ab4ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86ab4748, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86ab4ac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff85a166a8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85f0b030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xffffffffce8d86d8, 0xffffffff86ab4ac8, 0xffffffff86963040
Lower DeviceData: 0xffffffffc8940c78, 0xffffffff85f0b030, 0xffffffff86a22f08
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DC79474A

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 14663680

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 14665728 Numsec = 376054192
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 200049647616 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8cce48c0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8cce4500, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8cce48c0, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8cc5f628, DeviceName: \Device\00000076\, DriverName: \Driver\ti21sony\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff8cc5a7e0, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8cc749d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8cc5a7e0, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8cc53c60, DeviceName: \Device\00000077\, DriverName: \Driver\ti21sony\
------------ End ----------
Done!
Performing system, memory and registry scan...
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} --> [Search.Hijacker]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034A523-D068-4BE8-A284-9DF278BE776E} --> [Trojan.Zlob]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} --> [Trojan.Zlob]
Infected: C:\Users\Alice\Favorites\Antivirus Scan.url --> [Rogue.Link]
Infected: C:\Users\Alice\Documents\My Music\My Music.url --> [Trojan.Zlob]
Infected: C:\Users\Alice\Documents\My Pictures\My Pictures.url --> [Trojan.Zlob]
Infected: C:\Users\Alice\Documents\My Videos\My Video.url --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\myd.ico --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\mym.ico --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\myp.ico --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\myv.ico --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\ot.ico --> [Trojan.Zlob]
Infected: C:\Program Files\Applications\ts.ico --> [Trojan.Zlob]
Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Scan.url --> [Trojan.Zlob]
Infected: C:\ProgramData\Microsoft\Windows\Start Menu\Online Spyware Test.url --> [Trojan.Zlob]
Infected: C:\Windows\Tasks\ErrorSmart Scheduled Scan.job --> [Rogue.ErrorSmart]
Infected: HKCR\multimediaControls.chl --> [Trojan.Zlob]
Infected: HKCU\SOFTWARE\ErrorSmart --> [Rogue.ErrorSmart]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securewebinfo.com --> [Trojan.Zlob]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.safetyincludes.com --> [Trojan.Zlob]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securemanaging.com --> [Trojan.Zlob]
Infected: C:\Users\Alice\AppData\Roaming\ErrorSmart --> [Rogue.ErrorSmart]
Infected: C:\Users\Alice\AppData\Roaming\ErrorSmart\Log --> [Rogue.ErrorSmart]
Infected: C:\Users\Alice\AppData\Roaming\ErrorSmart\Log\2008 Nov 03 - 12_34_08 PM_324.log --> [Rogue.ErrorSmart]
Infected: C:\Users\Alice\AppData\Roaming\ErrorSmart\Registry Backups --> [Rogue.ErrorSmart]
Infected: C:\Users\Alice\AppData\Roaming\ErrorSmart\Registry Backups\2008-11-03_12-35-45.reg --> [Rogue.ErrorSmart]
Infected: C:\Windows\System32\512686 --> [Trojan.BHO]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer|SearchURL --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\Search|SearchAssistant --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| --> [Hijack.SearchPage]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer --> [PUM.Hijack.StartMenu]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch --> [PUM.Hijack.StartMenu]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer|SearchURL --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Default_Search_URL --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Page --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|SearchMigratedDefaultURL --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\Search|SearchAssistant --> [Hijack.SearchPage]
Infected: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w| --> [Hijack.SearchPage]
Infected: HKCR\scrfile\shell\open\command| --> [Broken.OpenCommand]
Infected: HKCR\regfile\shell\open\command| --> [Broken.OpenCommand]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Removal scheduling successful. System shutdown needed.
System shutdown occured
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2136678400, free: 1137180672

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_26

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2136678400, free: 1064534016

------------ Kernel report ------------
11/12/2012 18:14:29
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\pcmcia.sys
\SystemRoot\system32\DRIVERS\pciide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\yk60x86.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\drivers\ti21sony.sys
\SystemRoot\System32\Drivers\SonyNC.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\Apfiltr.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\SonyImgF.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\wanatw4.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\stwrt.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSXHWAZL.sys
\SystemRoot\system32\DRIVERS\HSX_DPV.sys
\SystemRoot\system32\DRIVERS\HSX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\Cdr4_xp.SYS
\SystemRoot\System32\Drivers\Cdralw2k.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\Windows\system32\drivers\avgtpx86.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\System32\Drivers\R5U870FLx86.sys
\SystemRoot\system32\DRIVERS\mfenlfk.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\Drivers\R5U870FUx86.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\??\C:\Windows\system32\drivers\ElRawDsk.sys
\SystemRoot\system32\DRIVERS\DMICall.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\PDFsFilter.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\aksfridge.sys
\SystemRoot\system32\drivers\hardlock.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\system32\drivers\regi.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\system32\DRIVERS\xaudio.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\SystemRoot\system32\drivers\mfebopk.sys
\SystemRoot\system32\drivers\cfwids.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\NETw4v32.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8d2441d8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000077\
Lower Device Object: 0xffffffff8d2fe308
Lower Device Driver Name: \Driver\ti21sony\
Driver name found: ti21sony
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8d38a808
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000076\
Lower Device Object: 0xffffffff8d246c60
Lower Device Driver Name: \Driver\ti21sony\
Driver name found: ti21sony
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff868266a8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff85f0b030
Lower Device Driver Name: \Driver\iaStor\
Driver name found: iaStor
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff868266a8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff868262c8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff868266a8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff85a166a8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85f0b030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Upper DeviceData: 0xffffffffbd925988, 0xffffffff868266a8, 0xffffffff85579ac8
Lower DeviceData: 0xffffffffbd91c3a8, 0xffffffff85f0b030, 0xffffffff8d29d810
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: DC79474A

Partition information:

Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 14663680

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 14665728 Numsec = 376054192
Partition file system is NTFS
Partition is bootable

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 200049647616 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8d38a808, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8d38a4f0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8d38a808, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8d246c60, DeviceName: \Device\00000076\, DriverName: \Driver\ti21sony\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff8d2441d8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8d297d18, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8d2441d8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8d2fe308, DeviceName: \Device\00000077\, DriverName: \Driver\ti21sony\
------------ End ----------
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

#11 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 12 November 2012 - 07:04 PM

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.

    baseservices
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt


#12 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 13 November 2012 - 10:18 AM

OTL logfile created on: 11/13/2012 9:39:11 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Alice\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 52.64% Memory free
4.21 Gb Paging File | 2.58 Gb Available in Paging File | 61.21% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 179.32 Gb Total Space | 125.29 Gb Free Space | 69.87% Space Free | Partition Type: NTFS

Computer Name: ALICE-PC | User Name: Alice | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/13 09:23:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Alice\Desktop\OTL.exe
PRC - [2012/10/07 12:20:29 | 000,722,528 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
PRC - [2012/10/07 12:20:28 | 000,982,624 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\ScriptHelperInstaller\12.2.6\ScriptHelper.exe
PRC - [2012/10/07 12:20:26 | 000,947,808 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2012/10/03 14:33:22 | 001,028,464 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/06/04 11:31:40 | 001,466,760 | ---- | M] (Garmin) -- C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
PRC - [2012/03/21 23:16:10 | 001,318,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2012/03/20 15:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2012/03/20 15:05:00 | 000,161,632 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2012/03/20 15:04:32 | 000,166,288 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/02/25 09:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/03/08 02:27:49 | 000,041,800 | ---- | M] (AOL Inc.) -- C:\Program Files\Common Files\AOL\1188348075\ee\aolsoftware.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/28 10:52:46 | 002,790,400 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\Windows\System32\hasplms.exe
PRC - [2008/10/29 03:12:08 | 000,090,112 | R--- | M] (FGAG) -- C:\Program Files\BERNINA\UCS\UniversalCommunicationServer.exe
PRC - [2008/03/28 09:55:59 | 000,171,448 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/03/26 18:17:30 | 000,923,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2007/03/06 17:22:00 | 000,036,864 | ---- | M] (Sony Electronics, Inc.) -- C:\Program Files\Sony\VAIO Center Access Bar\VCAB.exe
PRC - [2007/03/06 12:52:28 | 003,683,648 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe
PRC - [2007/02/27 11:50:42 | 000,469,112 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
PRC - [2007/02/13 17:19:48 | 000,182,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2007/02/13 17:19:48 | 000,100,472 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
PRC - [2007/02/07 21:43:50 | 000,411,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
PRC - [2007/02/05 13:22:08 | 000,546,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
PRC - [2007/01/22 22:39:32 | 000,321,656 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2007/01/16 16:05:00 | 002,523,136 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
PRC - [2007/01/16 16:05:00 | 001,089,536 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
PRC - [2007/01/10 12:43:24 | 000,073,728 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
PRC - [2007/01/08 19:06:40 | 000,397,312 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
PRC - [2006/12/19 20:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/11/28 21:27:46 | 000,274,432 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PRC - [2006/11/28 21:09:58 | 000,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
PRC - [2006/11/28 21:09:46 | 000,172,032 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PRC - [2006/11/13 07:32:52 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2006/11/13 07:32:52 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2006/11/13 07:32:49 | 000,042,544 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe


========== Modules (No Company Name) ==========

MOD - [2012/11/13 09:16:43 | 000,130,560 | ---- | M] () -- C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\http.dll
MOD - [2012/11/13 09:16:42 | 000,155,648 | ---- | M] () -- C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\filesys.dll
MOD - [2012/10/07 12:20:32 | 000,564,832 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\DNTInstaller\12.2.6\avgdttbx.dll
MOD - [2012/10/07 12:20:30 | 000,132,704 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\12.2.6\SiteSafety.dll
MOD - [2012/10/07 12:20:28 | 000,982,624 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\ScriptHelperInstaller\12.2.6\ScriptHelper.exe
MOD - [2012/10/07 12:20:26 | 000,947,808 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2012/10/07 12:20:25 | 001,734,240 | ---- | M] () -- C:\Program Files\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll
MOD - [2012/08/19 19:18:48 | 000,393,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\4837a5c6204d53e7aa4f7dd94b98207c\System.Xml.Linq.ni.dll
MOD - [2012/08/19 19:18:47 | 001,782,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\d234eceae699d070b5a5712ce776c01f\System.Xaml.ni.dll
MOD - [2012/08/19 19:09:44 | 013,198,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\3971e166cf827b6726e142f344061dc9\System.Windows.Forms.ni.dll
MOD - [2012/08/19 19:04:31 | 018,000,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\199683f6e79076b634ee6cc0a82c0654\PresentationFramework.ni.dll
MOD - [2012/08/19 19:04:13 | 000,595,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\a5fa2a1cfc6e9fdc39d9a8f2baa57bc9\PresentationFramework.Aero.ni.dll
MOD - [2012/08/19 19:04:10 | 011,451,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\e7dc084827f8df2dbdc819db5c633a0d\PresentationCore.ni.dll
MOD - [2012/08/19 19:03:54 | 003,858,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\21f37f9f5162af7efb52169012bd111e\WindowsBase.ni.dll
MOD - [2012/08/19 18:55:44 | 001,666,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\8c40f40ef36622109793788049fbe9ab\System.Drawing.ni.dll
MOD - [2012/08/19 18:46:07 | 000,736,768 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\5a3beae8b211b91bfc620c029cf4c2d4\System.Security.ni.dll
MOD - [2012/08/19 18:46:03 | 007,069,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\ed91b57205429a23bb91f4499059a459\System.Core.ni.dll
MOD - [2012/08/19 18:46:01 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d1f299160424bad90fe9f658661389e2\System.Xml.ni.dll
MOD - [2012/08/19 18:45:52 | 009,091,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\6f9f0467e8b2dd3f69b015c8e30ac945\System.ni.dll
MOD - [2012/08/19 18:45:39 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\3953b1d8b9b57e4957bff8f58145384e\mscorlib.ni.dll
MOD - [2012/06/18 22:25:58 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
MOD - [2012/06/18 22:25:47 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
MOD - [2012/05/15 10:26:23 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/15 10:26:05 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2007/03/23 22:06:04 | 000,249,856 | ---- | M] () -- C:\Windows\System32\igfxTMM.dll
MOD - [2007/02/07 21:43:50 | 000,040,960 | ---- | M] () -- C:\Program Files\Sony\VAIO Camera Utility\VCULib.dll


========== Services (SafeList) ==========

SRV - [2012/10/09 19:01:38 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/10/07 12:20:29 | 000,722,528 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe -- (vToolbarUpdater12.2.6)
SRV - [2012/10/03 14:33:22 | 001,028,464 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2012/08/23 13:55:10 | 000,362,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 16:14:14 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/03/20 15:11:32 | 000,151,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2012/03/20 15:05:00 | 000,161,632 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/03/20 15:04:32 | 000,166,288 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/06/17 12:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2011/02/28 17:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 09:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 20:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/01/28 10:52:46 | 002,790,400 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Auto | Running] -- C:\Windows\System32\hasplms.exe -- (hasplms)
SRV - [2008/10/29 03:12:08 | 000,090,112 | R--- | M] (FGAG) [Auto | Running] -- C:\Program Files\BERNINA\UCS\UniversalCommunicationServer.exe -- (UniversalCommunicationServer)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/03/29 12:01:38 | 000,069,632 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\System32\FDDService.exe -- (FDDService)
SRV - [2007/02/13 17:19:48 | 000,182,392 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2007/01/26 13:41:32 | 000,075,952 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Image Converter 3\ICScsiSV.exe -- (ICScsiSV)
SRV - [2007/01/26 13:41:24 | 000,067,760 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Image Converter 3\IcVzMonLauncher.exe -- (IcVzMonLauncher)
SRV - [2007/01/26 13:41:24 | 000,043,184 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Sony\Image Converter 3\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)
SRV - [2007/01/24 18:56:24 | 000,075,320 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2007/01/24 18:56:20 | 000,112,184 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)
SRV - [2007/01/16 16:05:00 | 002,523,136 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)
SRV - [2007/01/16 16:05:00 | 001,089,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-UCLS-UPnP)
SRV - [2007/01/16 16:05:00 | 001,089,536 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP)
SRV - [2007/01/10 18:51:06 | 000,745,472 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe -- (VAIOMediaPlatform-UCLS-AppServer)
SRV - [2007/01/10 12:43:24 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2007/01/08 19:06:40 | 000,397,312 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-UCLS-HTTP)
SRV - [2007/01/08 19:06:40 | 000,397,312 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP)
SRV - [2007/01/08 19:01:34 | 000,491,520 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)
SRV - [2007/01/04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) [Disabled | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/12/19 20:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/12/14 04:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 04:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 03:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/11/28 21:27:46 | 000,274,432 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2006/11/28 21:09:58 | 000,135,168 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)
SRV - [2006/11/28 21:09:46 | 000,172,032 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2006/11/28 17:28:12 | 000,020,480 | ---- | M] ( ) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2006/11/09 17:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe -- (AOL ACS)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (IpInIp)
DRV - [2012/10/07 12:20:31 | 000,027,496 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2012/08/02 13:21:22 | 000,068,464 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\PDFsFilter.sys -- (PDFsFilter)
DRV - [2012/04/17 10:25:02 | 000,027,080 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\ElRawDsk.sys -- (ElRawDisk)
DRV - [2012/02/22 15:29:46 | 000,464,304 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/02/22 15:29:46 | 000,340,920 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/02/22 15:29:46 | 000,180,848 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/02/22 15:29:46 | 000,169,608 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2012/02/22 15:29:46 | 000,121,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/02/22 15:29:46 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/02/22 15:29:46 | 000,064,912 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2012/02/22 15:29:46 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/02/22 15:29:46 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/02/03 03:10:12 | 000,586,752 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hardlock.sys -- (Hardlock)
DRV - [2009/02/03 03:10:12 | 000,238,208 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\akshasp.sys -- (akshasp)
DRV - [2009/01/28 16:26:24 | 000,020,480 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\aksusb.sys -- (aksusb)
DRV - [2009/01/16 11:42:28 | 000,352,256 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\aksfridge.sys -- (aksfridge)
DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/09/26 13:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32)
DRV - [2007/07/23 14:12:44 | 000,046,336 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\akshhl.sys -- (akshhl)
DRV - [2007/03/19 08:13:24 | 000,030,976 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SonyImgF.sys -- (SonyImgF)
DRV - [2007/03/18 23:15:53 | 000,323,584 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/03/15 14:17:07 | 000,074,240 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\R5U870FLx86.sys -- (R5U870FLx86)
DRV - [2007/03/15 14:17:07 | 000,043,904 | ---- | M] (Ricoh) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\R5U870FUx86.sys -- (R5U870FUx86)
DRV - [2007/03/15 13:31:13 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/03/15 13:31:13 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/03/01 19:28:54 | 000,124,256 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2007/02/08 07:27:24 | 000,807,424 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ti21sony.sys -- (ti21sony)
DRV - [2007/02/01 00:37:18 | 000,027,520 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SonyNC.sys -- (SNC)
DRV - [2007/01/03 13:19:08 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\regi.sys -- (regi)
DRV - [2006/11/13 21:07:45 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/13 07:32:52 | 000,140,800 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2006/11/01 15:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw)
DRV - [2006/10/18 13:56:30 | 000,010,216 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\DMICall.sys -- (DMICall)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.Google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.Google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.Google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Google.com/
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = http://www.Google.com/
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
IE - HKLM\..\SearchScopes,DefaultScope = {443789B7-F39C-4b5c-9287-DA72D38F4FE6}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aol-chromesbox-en-us&tb_uuid=20101114201254473&tb_oid=08-02-2010&tb_mrud=01-03-2011


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.symantecstore.com/promo [Binary data over 200 bytes]
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?ncid=toolbar
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Internet Explorer\SearchURL\w, = http://www.Google.com/
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{122599BB-F4AF-4582-9EB9-1CA639D3C8F3}: "URL" = http://windiwsfsearch.com/search?q={searchTerms}
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aol-chromesbox-en-us&tb_uuid=20101114201254473&tb_oid=08-02-2010&tb_mrud=01-03-2011
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={48998B5F-C428-455F-9A9D-0D108C1DC441}&mid=70c56b5b0a31472cb0df27850e36899f-32559fa6b3242cc3b1b98aecee5dd869f24f219a&lang=en&ds=hk014&pr=sa&d=2012-10-07 13:20:33&v=12.2.5.34&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80884&lng=en
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\12.2.6\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/11/30 07:15:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\siteranker@siteranker.com: C:\Program Files\SiteRanker\firefox\ [2012/06/27 11:16:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/09/02 10:58:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\12.2.5.34\ [2012/10/07 12:20:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/11/13 09:32:46 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage:
CHR - Extension: SiteAdvisor = C:\Users\Alice\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.50.146.2_0\
CHR - Extension: AVG Secure Search = C:\Users\Alice\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\12.2.5.34_0\

O1 HOSTS File: ([2007/08/28 20:30:04 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20121007171327.dll (McAfee, Inc.)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O2 - BHO: (hpBHO Class) - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files\Common Files\Homepage Protection\HomepageProtection.dll (AOL Products)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
O3 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\Toolbar\WebBrowser: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - No CLSID value found.
O3 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1188348075\ee\aolsoftware.exe (AOL Inc.)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray File not found
O4 - HKLM..\Run: [QuickBooks Simple Start] C:\Program Files\Intuit\SimpleStartEntice\entice.exe ()
O4 - HKLM..\Run: [ROC_ROC_NT] C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe ()
O4 - HKLM..\Run: [VAIO Center Access Bar] c:\program files\sony\VAIO Center Access Bar\VCAB.exe (Sony Electronics, Inc.)
O4 - HKLM..\Run: [VAIOCameraUtility] C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe (Sony Corporation)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\Run: [OfmjqCWuEg.exe] C:\ProgramData\OfmjqCWuEg.exe File not found
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\Run: [VlJCNmmHFLAE7Y] C:\ProgramData\VlJCNmmHFLAE7Y.exe File not found
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe (Adobe Systems Incorporated)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73A15681-C430-4D0F-888C-438AF3C4E99D}: DhcpNameServer = 192.168.1.1 192.168.1.2
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll ()
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - C:\Windows\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{9fd8fd70-78c5-11dc-a0ba-00038a000015}\Shell\AppLauncher\command - "" = H:\AppLauncher.exe
O33 - MountPoints2\{9fd8fd70-78c5-11dc-a0ba-00038a000015}\Shell\AutoRun\command - "" = H:\AppLauncher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SsiEfr.exe)
O34 - HKLM BootExecute: (autocheck smrgdf C:\Users\Alice\AppData\Roaming\iolo\)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/13 09:23:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Alice\Desktop\OTL.exe
[2012/11/13 09:21:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/11/12 16:30:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/11/12 16:26:34 | 000,000,000 | ---D | C] -- C:\Users\Alice\Desktop\mbar
[2012/11/07 17:04:26 | 000,000,000 | ---D | C] -- C:\Windows\Microsoft Antimalware
[2012/11/07 13:50:38 | 000,000,000 | ---D | C] -- C:\FRST
[2012/11/06 17:33:53 | 000,000,000 | -HSD | C] -- C:\found.000
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/13 09:23:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Alice\Desktop\OTL.exe
[2012/11/13 09:16:41 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/13 09:16:25 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/13 09:16:25 | 000,003,568 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/13 09:16:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/12 18:04:06 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/12 18:00:12 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/11/12 17:16:29 | 000,001,931 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/11/12 16:25:27 | 000,660,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/11/12 16:25:27 | 000,126,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/11/05 16:43:10 | 304,707,946 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/11/05 13:35:40 | 000,000,368 | ---- | M] () -- C:\ProgramData\VlJCNmmHFLAE7Y
[2012/11/05 13:33:04 | 000,000,176 | ---- | M] () -- C:\ProgramData\-VlJCNmmHFLAE7Yr
[2012/11/05 13:33:04 | 000,000,160 | ---- | M] () -- C:\ProgramData\-VlJCNmmHFLAE7Y
[2012/11/05 13:33:00 | 000,000,629 | ---- | M] () -- C:\Users\Alice\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
[2012/11/03 11:10:40 | 001,666,168 | ---- | M] () -- C:\Users\Alice\Documents\TakeTenforTea.pdf
[2012/10/15 14:39:41 | 000,072,991 | ---- | M] () -- C:\Users\Alice\Documents\Inv_124108_from_BakingChipStore.com_5252.pdf
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/05 16:43:10 | 304,707,946 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/11/05 13:33:04 | 000,000,176 | ---- | C] () -- C:\ProgramData\-VlJCNmmHFLAE7Yr
[2012/11/05 13:33:04 | 000,000,160 | ---- | C] () -- C:\ProgramData\-VlJCNmmHFLAE7Y
[2012/11/05 13:33:00 | 000,000,629 | ---- | C] () -- C:\Users\Alice\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
[2012/11/05 13:32:41 | 000,000,368 | ---- | C] () -- C:\ProgramData\VlJCNmmHFLAE7Y
[2012/10/15 14:39:38 | 000,072,991 | ---- | C] () -- C:\Users\Alice\Documents\Inv_124108_from_BakingChipStore.com_5252.pdf
[2012/08/17 18:53:30 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dat
[2011/12/09 09:42:58 | 000,005,648 | ---- | C] () -- C:\Users\Alice\AppData\Local\d3d9caps.dat
[2011/07/26 22:47:59 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/01/15 16:45:23 | 000,061,224 | ---- | C] () -- C:\Users\Alice\GoToAssistDownloadHelper.exe
[2010/01/15 11:01:55 | 000,000,952 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2009/11/02 19:26:48 | 000,000,093 | ---- | C] () -- C:\Users\Alice\AppData\Local\fusioncache.dat
[2008/01/04 08:17:25 | 000,010,240 | ---- | C] () -- C:\Users\Alice\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/13 09:56:50 | 000,056,912 | ---- | C] () -- C:\Users\Alice\g2mdlhlpx.exe
[2007/09/02 11:57:50 | 000,002,480 | ---- | C] () -- C:\Users\Alice\AppData\Roaming\wklnhst.dat
[2007/04/14 15:24:19 | 001,132,112 | ---- | C] () -- C:\ProgramData\pswi_preloaded.exe

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
SRV - [2006/11/02 04:46:02 | 000,024,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\aelupsvc.dll -- (AeLookupSvc)
SRV - [2008/01/19 02:33:43 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\appinfo.dll -- (Appinfo)
SRV - [2008/01/19 02:33:01 | 000,059,392 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\alg.exe -- (ALG)
SRV - [2009/04/11 01:28:23 | 000,758,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\qmgr.dll -- (BITS)
SRV - [2009/04/11 01:28:18 | 000,334,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\BFE.DLL -- (BFE)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\lsass.exe -- (KeyIso)
SRV - [2009/04/11 01:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\es.dll -- (EventSystem)
SRV - [2008/01/19 02:33:49 | 000,081,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\browser.dll -- (Browser)
SRV - [2012/06/01 19:02:32 | 000,133,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\cryptsvc.dll -- (CryptSvc)
SRV - [2009/04/11 01:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (DcomLaunch)
SRV - [2009/04/11 01:28:18 | 000,204,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcsvc.dll -- (Dhcp)
SRV - [2011/03/02 10:44:27 | 000,086,528 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/01/19 02:34:08 | 000,057,344 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\eapsvc.dll -- (EapHost)
SRV - [2009/04/11 01:28:19 | 000,026,112 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\hidserv.dll -- (hidserv)
SRV - [2008/01/19 02:34:34 | 000,288,256 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ipnathlp.dll -- (SharedAccess)
SRV - [2009/04/11 01:28:20 | 000,364,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\IPSECSVC.DLL -- (PolicyAgent)
No service found with a name of MsMpSvc
No service found with a name of NisSrv
SRV - [2009/04/11 01:28:24 | 000,311,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\swprv.dll -- (swprv)
SRV - [2008/01/19 02:34:49 | 000,045,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\mmcss.dll -- (MMCSS)
SRV - [2008/01/19 02:35:36 | 000,274,432 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\netman.dll -- (Netman)
SRV - [2008/01/19 02:35:36 | 000,237,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\netprofm.dll -- (netprofm)
SRV - [2008/01/19 02:35:38 | 000,168,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nlasvc.dll -- (NlaSvc)
SRV - [2008/01/19 02:35:57 | 000,018,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nsisvc.dll -- (nsi)
SRV - [2009/04/11 01:28:25 | 000,222,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpnpmgr.dll -- (PlugPlay)
SRV - [2010/08/17 09:11:37 | 000,128,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\spoolsv.exe -- (Spooler)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lsass.exe -- (ProtectedStorage)
SRV - [2009/04/11 01:28:19 | 000,564,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\emdmgmt.dll -- (EMDMgmt)
SRV - [2008/01/19 02:36:15 | 000,090,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\rasauto.dll -- (RasAuto)
SRV - [2009/04/11 01:28:24 | 000,262,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\rasmans.dll -- (RasMan)
SRV - [2009/04/11 01:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (RpcSs)
SRV - [2008/01/19 02:36:20 | 000,019,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\seclogon.dll -- (seclogon)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lsass.exe -- (SamSs)
SRV - [2009/04/11 01:28:26 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wscsvc.dll -- (wscsvc)
SRV - [2010/09/06 11:20:29 | 000,125,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\srvsvc.dll -- (LanmanServer)
SRV - [2009/07/10 06:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\shsvcs.dll -- (ShellHWDetection)
SRV - [2009/04/11 01:27:49 | 003,408,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\SLsvc.exe -- (slsvc)
SRV - [2010/11/04 13:55:12 | 000,601,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\schedsvc.dll -- (Schedule)
SRV - [2009/04/11 01:28:24 | 000,242,688 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\tapisrv.dll -- (TapiSrv)
SRV - [2009/07/10 06:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\shsvcs.dll -- (Themes)
SRV - [2009/04/11 01:28:23 | 000,153,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\profsvc.dll -- (ProfSvc)
SRV - [2009/04/11 01:28:10 | 001,055,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\VSSVC.exe -- (VSS)
SRV - [2009/04/11 01:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (Audiosrv)
SRV - [2009/04/11 01:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (AudioEndpointBuilder)
SRV - [2008/01/19 02:36:20 | 000,104,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sdrsvc.dll -- (SDRSVC)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/11 01:28:25 | 001,017,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wevtsvc.dll -- (Eventlog)
SRV - [2009/04/11 01:28:20 | 000,407,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\MPSSVC.dll -- (MpsSvc)
SRV - [2009/04/11 01:28:25 | 000,453,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wiaservc.dll -- (stisvc)
SRV - [2009/04/11 01:27:45 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\msiexec.exe -- (msiserver)
SRV - [2009/04/11 01:28:25 | 000,162,304 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wbem\WMIsvc.dll -- (Winmgmt)
SRV - [2012/06/02 17:19:17 | 001,933,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wuaueng.dll -- (wuauserv)
SRV - [2009/04/11 01:28:18 | 000,175,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\dot3svc.dll -- (dot3svc)
SRV - [2009/07/11 14:01:42 | 000,513,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wlansvc.dll -- (Wlansvc)
SRV - [2009/06/10 06:42:23 | 000,160,256 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wkssvc.dll -- (LanmanWorkstation)

< End of report >

Attached Files



#13 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 13 November 2012 - 04:16 PM

Posted Image From Programs and Features (via Control Panel), please uninstall the below:
  • Java™ 6 Update 26
  • Java™ SE Runtime Environment 6
  • Java™ 6 Update 7
  • Driver Detective
  • AOL Toolbar
  • Napster Burn Engine
  • Grouper Screen Saver 1.0
  • Viewpoint Media Player

__

Posted Image Fix items using OTL by OldTimer

Double-click OTL.exe to run the program.
Shutdown your antivirus to avoid any conflicts.
Copy the text in the code box below and paste it into the Posted Image text-field.
:processes
killallprocesses
:otl
[2012/11/05 13:33:04 | 000,000,176 | ---- | C] () -- C:\ProgramData\-VlJCNmmHFLAE7Yr
[2012/11/05 13:33:04 | 000,000,160 | ---- | C] () -- C:\ProgramData\-VlJCNmmHFLAE7Y
[2012/11/05 13:33:00 | 000,000,629 | ---- | C] () -- C:\Users\Alice\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk
[2012/11/05 13:32:41 | 000,000,368 | ---- | C] () -- C:\ProgramData\VlJCNmmHFLAE7Y
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\Run: [VlJCNmmHFLAE7Y] C:\ProgramData\VlJCNmmHFLAE7Y.exe File not found
O4 - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005..\Run: [OfmjqCWuEg.exe] C:\ProgramData\OfmjqCWuEg.exe File not found
O4 - HKLM..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray File not found
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\siteranker@siteranker.com: C:\Program Files\SiteRanker\firefox\ [2012/06/27 11:16:04 | 000,000,000 | ---D | M]
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80884&lng=en
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = https://isearch.avg.com/search?cid={48998B5F-C428-455F-9A9D-0D108C1DC441}&mid=70c56b5b0a31472cb0df27850e36899f-32559fa6b3242cc3b1b98aecee5dd869f24f219a&lang=en&ds=hk014&pr=sa&d=2012-10-07 13:20:33&v=12.2.5.34&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aol-chromesbox-en-us&tb_uuid=20101114201254473&tb_oid=08-02-2010&tb_mrud=01-03-2011
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\..\SearchScopes\{122599BB-F4AF-4582-9EB9-1CA639D3C8F3}: "URL" = http://windiwsfsearch.com/search?q={searchTerms}
IE - HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?ncid=toolbar
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&query={searchTerms}&invocationType=tb50-ie-aol-chromesbox-en-us&tb_uuid=20101114201254473&tb_oid=08-02-2010&tb_mrud=01-03-2011
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
:files
C:\Program Files\Napster /d
C:\Program Files\SiteRanker /d
C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\http.dll
C:\Program Files\AOL Toolbar /d
C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\filesys.dll
C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\b502a735d92c40ecbe93c594275ebb0a
C:\found.000 /d
xcopy /h/i/s/y "%temp%\smtmp\1" "%programdata%\start menu" /c
xcopy /h/i/s/y "%temp%\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c
xcopy /h/i/s/y "%temp%\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
xcopy /h/i/s/y "%temp%\smtmp\4" "%programdata%\desktop" /c
:commands
[emptyjava]
[emptyflash]
Now click the Posted Image button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open with a log report.
Post the contents of this report into your next message.

__

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

_

Let me know how the computer is running once you have completed these steps.

#14 pithblitz

pithblitz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 13 November 2012 - 05:46 PM

After these two scans, the systems has been running great.... so far. :wink: I'll let you be the judge of that!

========== PROCESSES ==========
All processes killed
========== OTL ==========
C:\ProgramData\-VlJCNmmHFLAE7Yr moved successfully.
C:\ProgramData\-VlJCNmmHFLAE7Y moved successfully.
C:\Users\Alice\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Restore.lnk moved successfully.
C:\ProgramData\VlJCNmmHFLAE7Y moved successfully.
Registry value HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Windows\CurrentVersion\Run\\VlJCNmmHFLAE7Y deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Windows\CurrentVersion\Run\\OfmjqCWuEg.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NapsterShell deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ba00b7b1-0351-477a-b948-23e3ee5a73d4} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba00b7b1-0351-477a-b948-23e3ee5a73d4}\ not found.
File C:\Program Files\AOL Toolbar\aoltb.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ef64538-8b54-4573-b48f-4d34b0238ab2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ef64538-8b54-4573-b48f-4d34b0238ab2}\ not found.
File C:\Program Files\AOL Toolbar\aoltb.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@viewpoint.com/VMP\ not found.
File C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll not found.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\siteranker@siteranker.com deleted successfully.
C:\Program Files\SiteRanker\firefox\components folder moved successfully.
C:\Program Files\SiteRanker\firefox\chrome\content folder moved successfully.
C:\Program Files\SiteRanker\firefox\chrome folder moved successfully.
C:\Program Files\SiteRanker\firefox folder moved successfully.
Registry key HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C04B7D22-5AEC-4561-8F49-27F6269208F6}\ not found.
Registry key HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ not found.
Registry key HKEY_USERS\S-1-5-21-2827551898-4003574220-3101899993-1005\Software\Microsoft\Internet Explorer\SearchScopes\{122599BB-F4AF-4582-9EB9-1CA639D3C8F3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{122599BB-F4AF-4582-9EB9-1CA639D3C8F3}\ not found.
HKU\S-1-5-21-2827551898-4003574220-3101899993-1005\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{f0e98552-8e47-4c6c-9b3a-11ab0549f94d} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0e98552-8e47-4c6c-9b3a-11ab0549f94d}\ not found.
File C:\Program Files\AOL Toolbar\aoltb.dll not found.
========== FILES ==========
File\Folder C:\Program Files\Napster not found.
C:\Program Files\SiteRanker\SiteRank.dll deleted successfully.
C:\Program Files\SiteRanker\SiteRankTray.exe deleted successfully.
C:\Program Files\SiteRanker\unins000.dat deleted successfully.
C:\Program Files\SiteRanker\unins000.exe deleted successfully.
C:\Program Files\SiteRanker folder deleted successfully.
File\Folder C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\http.dll not found.
File\Folder C:\Program Files\AOL Toolbar not found.
File\Folder C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\filesys.dll not found.
File\Folder C:\Users\Alice\AppData\Local\Temp\b502a735d92c40ecbe93c594275ebb0a\b502a735d92c40ecbe93c594275ebb0a not found.
C:\found.000\file0000.chk deleted successfully.
C:\found.000 folder deleted successfully.
< xcopy /h/i/s/y "%temp%\smtmp\1" "%programdata%\start menu" /c >
0 File(s) copied
C:\Users\Alice\Desktop\cmd.bat deleted successfully.
C:\Users\Alice\Desktop\cmd.txt deleted successfully.
< xcopy /h/i/s/y "%temp%\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c >
0 File(s) copied
C:\Users\Alice\Desktop\cmd.bat deleted successfully.
C:\Users\Alice\Desktop\cmd.txt deleted successfully.
< xcopy /h/i/s/y "%temp%\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c >
0 File(s) copied
C:\Users\Alice\Desktop\cmd.bat deleted successfully.
C:\Users\Alice\Desktop\cmd.txt deleted successfully.
< xcopy /h/i/s/y "%temp%\smtmp\4" "%programdata%\desktop" /c >
0 File(s) copied
C:\Users\Alice\Desktop\cmd.bat deleted successfully.
C:\Users\Alice\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Alice
->Java cache emptied: 38583255 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 37.00 mb


[EMPTYFLASH]

User: Alice
->Flash cache emptied: 199528 bytes

User: All Users

User: Default
->Flash cache emptied: 41620 bytes

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 11132012_172828

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 3.0.7 (11.13.2012)
OS: Windows Vista ™ Home Premium x86
Ran by Alice on Tue 11/13/2012 at 17:36:58.78
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{d3d233d5-9f6d-436c-b6c7-e63f77503b30}



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_local_machine\software\freeze.com"
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{11bf46c6-b3de-48bd-bf70-3ad85cab80b5}
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{abd3b5e1-b268-407b-a150-2641dab8d898}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{abd3b5e1-b268-407b-a150-2641dab8d898}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\Common Files\homepage protection"
Successfully deleted: [Folder] "C:\Users\Alice\appdata\locallow\siteranker"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/13/2012 at 17:40:52.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#15 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:38 AM

Posted 13 November 2012 - 06:09 PM

Just one more check and then we should be done ;)

Posted Image Now download unhide.exe to your desktop.
  • Now run unhide.exe by right-clicking and select Run as Administrator
  • Be patient as the tool runs.
  • Attach or post the contents of unhide.txt which is located on your desktop.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users