Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Downloader: Java/Toniper (System Restore Persistent)


  • This topic is locked This topic is locked
66 replies to this topic

#1 hatestrojans

hatestrojans

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 07 July 2013 - 07:45 PM

Dear helper,

 

I noticed that about a week ago the windows notification pop-up from the taskbar informed me that it successfully installed driver software for a USB device. No usb device was connected, so I was immediately concerned. The next day, the "duh-dong" sound that windows makes when a usb device is connected or disconnected kept going off, and is doing so to this day. The sounds accompany a non-existing usb device called "MemoryStick" showing up in drive F: of my computer, but only for short amounts of time. I figured the virus was exploiting the "autorun" feature to install more software so I turned off autorun in the group policy editor (gpedit.msc). My computer was running very slow and turning off autorun seemed to help a tiny bit. I also dried turning off usb drives following http://support.microsoft.com/kb/555324 , don't think it worked though. I noticed that NT Kernel & System takes up 100% of my CPU in the task manager. Avast and MSE didn't pick up on the virus, so I made a bootable offline defender usb and it found a "Trojan Downloader: Java/Toniper". It was not successful at removing it though.

 

I've tried to remove java myself, ran JavaRa, rkill, RogueKiller, TFC, and ComboFix (yes, sorry). Malwarebytes scan and Avast boot-time scan both had no results. I did the DDS scan last. Here are the logs: Thank you so much ahead of time! I know this is your time, I tried fixing it myself and this is my last resort.

 

DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.21.2
Run by Hund at 19:13:00 on 2013-07-07
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3964.2336 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbfcoms.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\ThpSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-hang-ui.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://de.ask.com/?l=dis&o=15768
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
mRun: [RegKillElbyCheck] "C:\Program Files (x86)\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
mRun: [RegKillTray] "C:\Program Files (x86)\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\Hund\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sipgate phone.appref-ms
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: Display All Images with Full Quality - "res://C:\Program Files (x86)\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "res://C:\Program Files (x86)\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/wpi/support/plugins/ebraryRdr.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/67.17/uploader2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.wpi.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\2656C6B696E6E2132683 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\2656C6B696E6E2239363 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\3457C616E64727F6F6F6028744 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\4616973796E6E6231343 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\4616973796E6E6233313 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{591B2F64-B6B8-4915-942B-0231606C94B9}\C616D6264616C333471657 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B} : NameServer = 130.215.32.18 130.215.39.18
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-TB: avast! Online Security: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [ThpSrv] C:\Windows\System32\thpsrv /logon
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
x64-Run: [TPCHWMsg] C:\Program Files (x86)\TOSHIBA\TPHM\TPCHWMsg.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\eihrcm4o.Normall\
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 4001
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 4001
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 4001
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 4001
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll
FF - plugin: C:\Program Files (x86)\CambridgeSoft\ChemOffice2008\ChemDraw\NPCDP32.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Picasa2\npPicasa2.dll
FF - plugin: C:\Program Files (x86)\Picasa2\npPicasa3.dll
FF - plugin: C:\Users\Hund\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: C:\Users\Hund\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: 2013-07-03 02:20; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-7-3 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-7-3 189936]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-7-3 1030952]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-7-3 378944]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-7-3 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-7-3 80816]
R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2009-5-3 8704]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2008-9-22 126464]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-10-26 32768]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .js: Applications\notepad.exe=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-07-07 19:49:36    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-07-06 22:02:43    9552976    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1FA30F48-8D38-402F-A0BB-0FE45CF48D3E}\mpengine.dll
2013-07-06 22:01:36    --------    d-----w-    C:\Combo-Fix18873C
2013-07-06 04:11:50    --------    d-----w-    C:\Combo-Fix
2013-07-06 00:51:17    17018248    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-07-05 21:15:14    98816    ----a-w-    C:\Windows\sed.exe
2013-07-05 21:15:14    256000    ----a-w-    C:\Windows\PEV.exe
2013-07-05 21:15:14    208896    ----a-w-    C:\Windows\MBR.exe
2013-07-05 21:14:24    9552976    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-04 05:37:11    74136    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2013-07-04 05:37:11    2106216    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2013-07-04 05:37:11    19352    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2013-07-04 05:37:10    263576    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-07-04 05:37:08    116120    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe
2013-07-04 05:35:58    92056    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-07-04 01:53:01    --------    d-----w-    C:\Windows\Microsoft Antimalware
2013-07-03 07:46:33    2382848    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2013-07-03 07:46:33    2382848    ----a-w-    C:\Windows\System32\mshtml.tlb
2013-07-03 07:46:32    420864    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2013-07-03 07:46:32    182936    ----a-w-    C:\Program Files\Internet Explorer\sqmapi.dll
2013-07-03 07:46:32    149656    ----a-w-    C:\Program Files (x86)\Internet Explorer\sqmapi.dll
2013-07-03 07:46:31    996352    ----a-w-    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-03 07:46:31    768512    ----a-w-    C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-03 07:46:30    304640    ----a-w-    C:\Program Files\Internet Explorer\IEShims.dll
2013-07-03 07:46:30    194048    ----a-w-    C:\Program Files (x86)\Internet Explorer\IEShims.dll
2013-07-03 06:28:30    964552    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D1E3A1A-029D-4271-9F56-166B0CCE349A}\gapaengine.dll
2013-07-03 06:20:51    72016    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2013-07-03 06:20:50    1030952    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2013-07-03 06:20:47    189936    ----a-w-    C:\Windows\System32\drivers\aswVmm.sys
2013-07-03 06:20:44    65336    ----a-w-    C:\Windows\System32\drivers\aswRvrt.sys
2013-07-03 06:20:40    80816    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2013-07-03 06:19:35    41664    ----a-w-    C:\Windows\avastSS.scr
2013-07-03 01:05:55    --------    d-----w-    C:\Program Files\AVAST Software
2013-07-03 01:03:46    --------    d-----w-    C:\ProgramData\AVAST Software
2013-07-02 01:27:09    --------    d-----w-    C:\Users\Hund\AppData\Local\Programs
.
==================== Find3M  ====================
.
2013-07-06 00:52:37    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-06 00:52:37    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 03:09:56    2312704    ----a-w-    C:\Windows\System32\jscript9.dll
2013-05-17 03:02:29    1392128    ----a-w-    C:\Windows\System32\wininet.dll
2013-05-17 03:01:13    1494528    ----a-w-    C:\Windows\System32\inetcpl.cpl
2013-05-17 02:56:09    173056    ----a-w-    C:\Windows\System32\ieUnatt.exe
2013-05-17 02:56:00    599040    ----a-w-    C:\Windows\System32\vbscript.dll
2013-05-16 22:39:39    1800704    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2013-05-16 22:28:26    1129472    ----a-w-    C:\Windows\SysWow64\wininet.dll
2013-05-16 22:27:30    1427968    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2013-05-16 22:21:37    142848    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2013-05-02 15:29:56    278800    ------w-    C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 19:20:56.18 ===============
 

The RKill log:

 

RogueKiller V8.6.2 [Jul  5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Hund [Admin rights]
Mode : Remove -- Date : 07/05/2013 22:53:48
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] sipgatePhone.exe -- C:\Users\Hund\AppData\Local\Apps\2.0\WO12BY2D.YHC\GMJLG94P.MYZ\sipg..tion_63886910cc40b5e5_0001.0000_1f883b07455591b9\sipgatePhone.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[DNS] HKLM\[...]\CCSet\[...]\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B} : NameServer (130.215.32.18 130.215.39.18) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\CS001\[...]\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B} : NameServer (130.215.32.18 130.215.39.18) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\CS002\[...]\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B} : NameServer (130.215.32.18 130.215.39.18) -> NOT REMOVED, USE DNSFIX
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 6 ¤¤¤
[FF][PROXY] eihrcm4o.Normall : user_pref("network.proxy.hxxp", "localhost"); -> NOT REMOVED, USE PROXYFIX
[FF][PROXY] eihrcm4o.Normall : user_pref("network.proxy.hxxp_port", 4001); -> NOT REMOVED, USE PROXYFIX
[FF][PROXY] osn2bkst.default : user_pref("network.proxy.hxxp", "localhost"); -> NOT REMOVED, USE PROXYFIX
[FF][PROXY] osn2bkst.default : user_pref("network.proxy.hxxp_port", 4001); -> NOT REMOVED, USE PROXYFIX
[FF][PROXY] tqn2v9pb.Interesting : user_pref("network.proxy.hxxp", "localhost"); -> NOT REMOVED, USE PROXYFIX
[FF][PROXY] tqn2v9pb.Interesting : user_pref("network.proxy.hxxp_port", 4001); -> NOT REMOVED, USE PROXYFIX

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
::1             localhost
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BEVT-26ZCT0 +++++
--- User ---
[MBR] 48d5bb3249fe671c84ff48c85d3ab24d
[BSP] 29f5cb0e747def96b31d63f7bea66df1 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 293256 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 603662336 | Size: 10488 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_07052013_225348.txt >>
RKreport[0]_D_07052013_161218.txt;RKreport[0]_S_07052013_161025.txt;RKreport[0]_S_07052013_225340.txt

ComboFix Log:

 

ComboFix 13-07-07.01 - Hund 07/06/2013  18:12:57.2.2 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3964.2213 [GMT -4:00]
Running from: c:\users\Hund\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-07 to 2013-07-07  )))))))))))))))))))))))))))))))
.
.
2013-07-07 00:54 . 2013-07-07 00:54    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2013-07-07 00:54 . 2013-07-07 00:54    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-07 00:54 . 2013-07-07 00:54    --------    d-----w-    c:\users\Babbbaa\AppData\Local\temp
2013-07-06 22:02 . 2013-06-12 03:08    9552976    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1FA30F48-8D38-402F-A0BB-0FE45CF48D3E}\mpengine.dll
2013-07-06 04:11 . 2013-07-06 05:53    --------    d-----w-    C:\Combo-Fix
2013-07-06 00:51 . 2013-07-06 00:51    17018248    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-07-05 21:14 . 2013-06-12 03:08    9552976    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-04 01:53 . 2013-07-04 01:53    --------    d-----w-    c:\windows\Microsoft Antimalware
2013-07-03 07:46 . 2013-05-17 02:51    96768    ----a-w-    c:\windows\system32\mshtmled.dll
2013-07-03 07:46 . 2013-05-17 02:51    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-07-03 07:46 . 2013-05-16 22:16    2382848    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-07-03 07:46 . 2013-05-17 04:10    182936    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2013-07-03 07:46 . 2013-05-16 23:34    149656    ----a-w-    c:\program files (x86)\Internet Explorer\sqmapi.dll
2013-07-03 07:46 . 2013-05-16 22:20    420864    ----a-w-    c:\windows\SysWow64\vbscript.dll
2013-07-03 07:46 . 2013-05-17 03:00    996352    ----a-w-    c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-03 07:46 . 2013-05-16 22:24    768512    ----a-w-    c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-03 07:46 . 2013-05-17 02:58    304640    ----a-w-    c:\program files\Internet Explorer\IEShims.dll
2013-07-03 07:46 . 2013-05-16 22:23    194048    ----a-w-    c:\program files (x86)\Internet Explorer\IEShims.dll
2013-07-03 07:44 . 2013-05-17 02:59    548864    ----a-w-    c:\program files\Internet Explorer\ieproxy.dll
2013-07-03 07:43 . 2013-05-17 04:05    17824768    ----a-w-    c:\windows\system32\mshtml.dll
2013-07-03 07:43 . 2013-05-17 03:27    10926080    ----a-w-    c:\windows\system32\ieframe.dll
2013-07-03 06:28 . 2013-07-03 06:24    964552    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4D1E3A1A-029D-4271-9F56-166B0CCE349A}\gapaengine.dll
2013-07-03 06:20 . 2013-05-09 08:59    33400    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2013-07-03 06:20 . 2013-07-03 06:32    378944    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-07-03 06:20 . 2013-05-09 08:59    72016    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-07-03 06:20 . 2013-07-03 06:32    1030952    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-07-03 06:20 . 2013-05-09 08:59    64288    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-07-03 06:20 . 2013-07-03 06:32    189936    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-07-03 06:20 . 2013-05-09 08:59    65336    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-07-03 06:20 . 2013-05-09 08:59    80816    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-07-03 06:20 . 2013-05-09 08:58    287840    ----a-w-    c:\windows\system32\aswBoot.exe
2013-07-03 06:19 . 2013-05-09 08:58    41664    ----a-w-    c:\windows\avastSS.scr
2013-07-03 01:05 . 2013-07-03 06:19    --------    d-----w-    c:\program files\AVAST Software
2013-07-03 01:03 . 2013-07-03 06:19    --------    d-----w-    c:\programdata\AVAST Software
2013-07-02 01:27 . 2013-07-02 01:27    --------    d-----w-    c:\users\Hund\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-06 00:52 . 2012-04-16 19:51    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-06 00:52 . 2011-10-21 21:55    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-03 06:47 . 2010-07-26 15:35    75825640    ----a-w-    c:\windows\system32\MRT.exe
2013-05-14 00:59 . 2011-03-28 23:36    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:29 . 2010-07-24 19:40    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-04-23 18:03 . 2011-03-25 20:34    905296    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    130736    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    130736    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    130736    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-01 1283384]
"RegKillElbyCheck"="c:\program files (x86)\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\program files (x86)\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 49152]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-05-09 4858968]
.
c:\users\Hund\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
sipgate phone.appref-ms [2012-4-23 388]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\DRIVERS\ntnvca.sys;c:\windows\SYSNATIVE\DRIVERS\ntnvca.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RegKill;RegKill;c:\windows\system32\Drivers\RegKill.sys;c:\windows\SYSNATIVE\Drivers\RegKill.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 camsvc;TOSHIBA Web Camera Service;c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys;c:\windows\SYSNATIVE\Drivers\sptd.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe;c:\windows\SYSNATIVE\lxbfcoms.exe [x]
S2 MsgPlusService;Messenger Plus! Service;c:\program files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe;c:\program files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys;c:\windows\SYSNATIVE\DRIVERS\rimspe64.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys;c:\windows\SYSNATIVE\DRIVERS\rixdpe64.sys [x]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe;c:\program files\TOSHIBA\rselect\RSelSvc.exe [x]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 23:54]
.
2013-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-12 20:37]
.
2013-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-12 20:37]
.
2013-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000Core.job
- c:\users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-10 03:06]
.
2013-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000UA.job
- c:\users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-10 03:06]
.
2013-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008Core.job
- c:\users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-27 05:30]
.
2013-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008UA.job
- c:\users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-27 05:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-05-09 08:58    133840    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    164016    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    164016    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    164016    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-15 23:49    164016    ----a-w-    c:\users\Hund\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-18 1713448]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-03-24 1123840]
"TPCHWMsg"="c:\program files (x86)\TOSHIBA\TPHM\TPCHWMsg.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-06-11 12503184]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://de.ask.com/?l=dis&o=15768
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Display All Images with Full Quality - "c:\program files (x86)\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files (x86)\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: netzero.com
Trusted Zone: netzero.net
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B}: NameServer = 130.215.32.18 130.215.39.18
FF - ProfilePath - c:\users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\eihrcm4o.Normall\
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 4001
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 4001
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 4001
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 4001
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-07-03 02:20; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-06  21:16:16
ComboFix-quarantined-files.txt  2013-07-07 01:16
ComboFix2.txt  2013-07-06 05:53
.
Pre-Run: 76,771,061,760 bytes free
Post-Run: 76,700,004,352 bytes free
.
- - End Of File - - 12FB7E0C3E0B6FCB24805EFD63CD0FE8
A36C5E4F47E84449FF07ED3517B43A31
 

 


 

 

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 10 July 2013 - 04:49 PM

Greetings hatestrojans and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.

Edited by Oh My, 10 July 2013 - 04:50 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 10 July 2013 - 05:05 PM

Greetings again,

Please run these for me.

===================================================

Disable CD Emulation

--------------------
  • Please download DeFogger and save it to your desktop
  • Double-click on the DeFogger icon to start the tool.
  • The application window will appear.
  • You should now click on the Disable button to disable your CD Emulation drivers.
  • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
  • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • TDSSKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 11 July 2013 - 07:49 AM

Hi Gary,

 

Thanks a lot for the help! I followed your steps and everything went smoothly. For some reason I couldn't save DeFogger directly to my desktop because the folder could not be changed, so I had to save to my username's folder and then move it to the desktop. The TDSSKiller log is attached as a zip file.

 

~Merlin

Attached Files



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 11 July 2013 - 08:05 AM

Greetings Merlin,

Can you clarify a couple things for me please.

Do you recognize this?
sipgatePhone
----------

Are you using your computer at an educational institution?

----------

There are a couple of things to address in this post. Please consider and do the following for me.

===================================================

Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the below Antivirus programs currently on your computer, even if only one is running. You can do this via Add/Remove Programs, or Programs and Features in the Control Panel

Microsoft Security Essentials
Avast


===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Clarification
  • Did one of the antivirus programs uninstall successfully?
  • Farbar log
  • Attach log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 11 July 2013 - 05:56 PM

Hello again Gary,

 

Thanks a lot for your help. Yes I do recognize sipgate, it's my VoIP application. No this is a personal computer and not used at an educational institution. i ran FRST successful and pasted both logs. Oh and Microsoft Security Essentials uninstalled successfully.

 

Here is the FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-07-2013 02
Ran by Hund (administrator) on 11-07-2013 18:37:14
Running from C:\Users\Hund\Desktop
Windows 7 Ultimate Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google Inc.) C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe
(Google Inc.) C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1713448 2009-03-18] (Synaptics Incorporated)
HKLM\...\Run: [HSON] - %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [518008 2008-12-18] (TOSHIBA Corporation)
HKLM\...\Run: [ThpSrv] - C:\Windows\system32\thpsrv /logon [x]
HKLM\...\Run: [TosSENotify] - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe [1123840 2009-03-24] (TOSHIBA Corporation)
HKLM\...\Run: [TPCHWMsg] - %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe [613232 2009-04-09] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [487264 2009-03-06] (TOSHIBA Corporation)
HKLM\...\Run: [IgfxTray] - C:\Windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] - C:\Windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [12503184 2012-06-11] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ToshibaServiceStation] - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60 [1283384 2009-04-01] (TOSHIBA Corporation)
HKLM-x32\...\Run: [RegKillElbyCheck] - "C:\Program Files (x86)\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill [45056 2002-11-02] (Elaborate Bytes AG)
HKLM-x32\...\Run: [RegKillTray] - "C:\Program Files (x86)\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [49152 2002-11-27] (Elaborate Bytes)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [avast] - "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4858968 2013-05-09] (AVAST Software)
HKU\Babbbaa\...\Run: [Google Update] - "C:\Users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-27] (Google Inc.)
HKU\Babbbaa\...\Run: [msnmsgr] - "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Babbbaa\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Guest\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Guest\...\Run: [Google Update] - "C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-11-09] (Google Inc.)
HKU\Guest\...\RunOnce: [Application Restart #0] - C:\Program Files\Microsoft Security Client\msseces.exe -Recover [x]
Startup: C:\Users\Hund\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sipgate phone.appref-ms ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.ask.com/?l=dis&o=15768
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
StartMenuInternet: IEXPLORE.EXE - "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
BHO-x32: DivX HiQ - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {001EE746-A1F9-460E-80AD-269E088D6A01} http://site.ebrary.com/lib/wpi/support/plugins/ebraryRdr.cab
DPF: HKLM-x32 {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: HKLM-x32 {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/67.17/uploader2.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://vpn.wpi.edu/dana-cached/sc/JuniperSetupClient.cab
Handler-x32: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files (x86)\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B}: [NameServer]130.215.32.18 130.215.39.18

FireFox:
========
FF ProfilePath: C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Path=Profiles\9sbsjj0a.HeinzOGames
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.11.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.11.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll No File
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @cambridgesoft.com/Chem3D,version=11.0 - C:\Program Files (x86)\CambridgeSoft\ChemOffice2008\Chem3D\npChem3DPlugin.dll (CambridgeSoft Corp.)
FF Plugin-x32: @cambridgesoft.com/ChemDraw,version=11.0 - C:\Program Files (x86)\CambridgeSoft\ChemOffice2008\ChemDraw\npcdp32.dll (CambridgeSoft Corp.)
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa2,version=2.0.0 - C:\Program Files (x86)\Picasa2\npPicasa2.dll (Google, Inc.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Picasa2\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/JavaPlugin,version=10.21.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 - C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Users\Hund\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Hund\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Hund\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Hund\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: No Name - C:\Users\Hund\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
FF Extension: No Name - C:\Users\Hund\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video
FF HKLM-x32\...\Firefox\Extensions: [{6904342A-8307-11DF-A508-4AE2DFD72085}] C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa
FF Extension: DivX HiQ - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

==================== Services (Whitelisted) =================

S4 AffinegyService; C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-02-24] (Affinegy, Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S4 camsvc; C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [20544 2009-04-16] (TOSHIBA)
S4 lxbf_device; C:\Windows\system32\lxbfcoms.exe [566704 2007-04-24] ( )
S4 MsgPlusService; C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe [124832 2012-01-22] (Yuna Software)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [33400 2013-05-09] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [80816 2013-05-09] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [72016 2013-05-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65336 2013-05-09] ()
R1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [1030952 2013-07-03] (AVAST Software)
R1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [378944 2013-07-03] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-05-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [189936 2013-07-03] ()
S2 ElbyCDIO; C:\Windows\SysWow64\Drivers\ElbyCDIO.sys [16320 2002-11-29] (Elaborate Bytes AG)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-07-26] (Duplex Secure Ltd.)
S3 catchme; \??\C:\Combo-Fix\catchme.sys [x]
S2 ElbyCDIO; System32\Drivers\ElbyCDIO.sys [x]
S3 NT_NvcA; system32\DRIVERS\ntnvca.sys [x]
S3 RegKill; System32\Drivers\RegKill.sys [x]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-11 18:35 - 2013-07-11 18:35 - 00000000 ____D C:\FRST
2013-07-11 18:29 - 2013-07-11 18:29 - 01778079 ____A (Farbar) C:\Users\Hund\Desktop\FRST64.exe
2013-07-11 06:52 - 2013-07-11 06:52 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Hund\Desktop\tdsskiller.exe
2013-07-11 02:09 - 2013-07-11 02:09 - 00003480 ____N C:\bootsqm.dat
2013-07-10 23:37 - 2013-07-10 23:37 - 00000580 ____A C:\Users\Hund\Desktop\defogger_disable.log
2013-07-10 23:37 - 2013-07-10 23:37 - 00000020 ____A C:\Users\Hund\defogger_reenable
2013-07-10 23:33 - 2013-07-10 23:34 - 00050477 ____A C:\Users\Hund\Desktop\Defogger.exe
2013-07-08 00:57 - 2013-07-08 01:00 - 00000000 ____D C:\314798d709542a0736b9
2013-07-07 19:22 - 2013-07-07 19:22 - 00013737 ____A C:\Users\Hund\Desktop\attach.txt
2013-07-07 19:22 - 2013-07-07 19:20 - 00017990 ____A C:\Users\Hund\Desktop\dds.txt
2013-07-07 19:01 - 2013-07-07 19:02 - 00688992 ____R (Swearware) C:\Users\Hund\Desktop\dds.com
2013-07-07 18:08 - 2013-07-08 00:48 - 823132160 ____A C:\Users\Hund\Desktop\ubuntu-13.04-desktop-amd64.iso
2013-07-07 18:05 - 2013-07-07 18:02 - 01142835 ____A (pendrivelinux.com) C:\Users\Hund\Desktop\Universal-USB-Installer-1.9.3.6.exe
2013-07-07 16:43 - 2013-07-07 16:43 - 00000003 _RASH C:\win7ldr
2013-07-07 16:42 - 2013-07-07 16:43 - 00000000 ____D C:\Windows\loader
2013-07-07 16:29 - 2013-07-07 16:29 - 00002269 ____A C:\Users\Hund\Desktop\DisableUSBCDDVD.adm
2013-07-06 21:16 - 2013-07-06 21:16 - 00024637 ____A C:\ComboFix.txt
2013-07-06 18:01 - 2013-07-06 21:16 - 00000000 ____D C:\Combo-Fix18873C
2013-07-06 17:33 - 2013-07-11 17:57 - 00026720 ____A C:\Windows\setupact.log
2013-07-06 17:29 - 2013-07-07 15:26 - 00001092 ____A C:\Windows\PFRO.log
2013-07-06 02:05 - 2013-07-11 07:58 - 00050144 ____A C:\Windows\IE10_main.log
2013-07-06 00:11 - 2013-07-06 01:53 - 00000000 ____D C:\Combo-Fix
2013-07-06 00:10 - 2013-07-06 21:16 - 00000000 ____D C:\Qoobox
2013-07-06 00:08 - 2013-07-06 01:38 - 00000000 ____D C:\Windows\erdnt
2013-07-06 00:05 - 2013-07-06 17:56 - 05087096 ____R (Swearware) C:\Users\Hund\Desktop\Combo-Fix.exe
2013-07-05 22:53 - 2013-07-05 22:53 - 00003854 ____A C:\Users\Hund\Desktop\RKreport[0]_D_07052013_225348.txt
2013-07-05 22:53 - 2013-07-05 22:53 - 00003640 ____A C:\Users\Hund\Desktop\RKreport[0]_S_07052013_225340.txt
2013-07-05 20:51 - 2013-07-05 20:51 - 17018248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-07-05 19:54 - 2013-07-11 07:51 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-05 19:54 - 2013-07-05 19:54 - 00003768 ____A C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-05 17:15 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2013-07-05 17:15 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2013-07-05 17:15 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2013-07-05 17:15 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2013-07-05 17:15 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2013-07-05 17:15 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2013-07-05 17:15 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2013-07-05 17:15 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2013-07-05 16:12 - 2013-07-05 16:12 - 00004016 ____A C:\Users\Hund\Desktop\RKreport[0]_D_07052013_161218.txt
2013-07-05 16:10 - 2013-07-05 16:10 - 00003789 ____A C:\Users\Hund\Desktop\RKreport[0]_S_07052013_161025.txt
2013-07-05 16:05 - 2013-07-05 22:53 - 00000000 ____D C:\Users\Hund\Desktop\RK_Quarantine
2013-07-05 16:00 - 2013-07-05 16:00 - 00915456 ____A C:\Users\Hund\Desktop\RogueKiller.exe
2013-07-05 15:41 - 2013-07-07 16:35 - 00000918 _RASH C:\ProgramData\ntuser.pol
2013-07-05 14:37 - 2013-07-05 14:37 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-05 14:34 - 2013-07-05 14:35 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Hund\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-05 14:30 - 2013-07-05 14:30 - 00000000 ____A C:\Windows\system32\config\SOFTWARE6d938235
2013-07-05 14:03 - 2013-07-05 14:03 - 00000000 ____D C:\Users\Hund\Desktop\rkill
2013-07-05 14:02 - 2013-07-05 23:04 - 00004358 ____A C:\Users\Hund\Desktop\Rkill.txt
2013-07-05 13:59 - 2013-07-05 14:00 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Hund\Desktop\rkill.scr
2013-07-05 11:04 - 2013-07-05 11:05 - 00448512 ____A (OldTimer Tools) C:\Users\Hund\Desktop\TFC.exe
2013-07-04 04:24 - 2013-07-04 04:24 - 87556096 ____A C:\Windows\system32\config\SOFTWARE9d9ec41
2013-07-04 01:35 - 2013-07-04 13:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-07-04 01:08 - 2013-07-04 01:08 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\Hund\Desktop\JRT.exe
2013-07-04 00:54 - 2013-07-04 11:46 - 00000000 ____D C:\Users\Hund\Desktop\JavaRa
2013-07-03 21:53 - 2013-07-03 21:53 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-07-03 03:46 - 2013-05-16 22:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-07-03 03:46 - 2013-05-16 22:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-07-03 03:46 - 2013-05-16 18:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-07-03 03:46 - 2013-05-16 18:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-07-03 03:46 - 2013-05-16 18:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-03 03:45 - 2013-05-16 23:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-07-03 03:45 - 2013-05-16 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-07-03 03:45 - 2013-05-16 23:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-07-03 03:45 - 2013-05-16 23:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-07-03 03:45 - 2013-05-16 23:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\system32\url.dll
2013-07-03 03:45 - 2013-05-16 22:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-07-03 03:45 - 2013-05-16 22:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-07-03 03:45 - 2013-05-16 18:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-03 03:45 - 2013-05-16 18:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-03 03:45 - 2013-05-16 18:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-07-03 03:45 - 2013-05-16 18:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-07-03 03:45 - 2013-05-16 18:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-07-03 03:45 - 2013-05-16 18:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-03 03:44 - 2013-05-16 22:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-07-03 03:44 - 2013-05-16 22:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-07-03 03:44 - 2013-05-16 22:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-07-03 03:44 - 2013-05-16 22:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-07-03 03:44 - 2013-05-16 22:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-07-03 03:44 - 2013-05-16 19:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-03 03:44 - 2013-05-16 18:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-03 03:44 - 2013-05-16 18:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-03 03:44 - 2013-05-16 18:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-03 03:44 - 2013-05-16 18:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-03 03:44 - 2013-05-16 18:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-03 03:43 - 2013-05-17 00:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-07-03 03:43 - 2013-05-16 23:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-07-03 03:43 - 2013-05-16 18:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswVmm.sys.sum
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswSP.sys.sum
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswSnx.sys.sum
2013-07-03 02:20 - 2013-07-11 18:29 - 00003924 ____A C:\Windows\System32\Tasks\avast! Emergency Update
2013-07-03 02:20 - 2013-07-11 18:29 - 00001933 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-07-03 02:20 - 2013-07-03 02:32 - 01030952 ____A (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-07-03 02:20 - 2013-07-03 02:32 - 00378944 ____A (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2013-07-03 02:20 - 2013-07-03 02:32 - 00189936 ____A C:\Windows\system32\Drivers\aswVmm.sys
2013-07-03 02:20 - 2013-05-09 04:59 - 00080816 ____A (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2013-07-03 02:20 - 2013-05-09 04:59 - 00072016 ____A (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2013-07-03 02:20 - 2013-05-09 04:59 - 00065336 ____A C:\Windows\system32\Drivers\aswRvrt.sys
2013-07-03 02:20 - 2013-05-09 04:59 - 00064288 ____A (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys
2013-07-03 02:20 - 2013-05-09 04:59 - 00033400 ____A (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys
2013-07-03 02:20 - 2013-05-09 04:58 - 00287840 ____A (AVAST Software) C:\Windows\system32\aswBoot.exe
2013-07-03 02:19 - 2013-05-09 04:58 - 00041664 ____A (AVAST Software) C:\Windows\avastSS.scr
2013-07-03 02:16 - 2013-07-03 02:17 - 117478104 ____A C:\Users\Hund\Downloads\avast_free_antivirus_setup.exe
2013-07-02 23:11 - 2013-07-02 23:12 - 00488656 ____A C:\Windows\Minidump\070213-187091-01.dmp
2013-07-02 21:05 - 2013-07-03 02:19 - 00000000 ____D C:\Program Files\AVAST Software
2013-07-02 21:03 - 2013-07-03 02:19 - 00000000 ____D C:\ProgramData\AVAST Software
2013-07-01 23:18 - 2013-07-01 23:18 - 00000005 ____A C:\Users\Hund\AppData\Roaming\mbam.context.scan
2013-06-28 22:58 - 2013-06-30 16:28 - 00000000 ____D C:\Users\Hund\Desktop\DocumentWebsite
2013-06-16 16:18 - 2013-06-16 16:18 - 00000000 ____D C:\Users\Hund\Desktop\Collision
2013-06-13 19:08 - 2013-06-13 19:08 - 00645654 ____A C:\Users\Hund\Desktop\Outlook2.bmp
2013-06-13 19:08 - 2013-06-13 19:08 - 00561202 ___AT C:\Users\Hund\Desktop\Outlook1.bmp

==================== One Month Modified Files and Folders =======

2013-07-11 18:35 - 2013-07-11 18:35 - 00000000 ____D C:\FRST
2013-07-11 18:30 - 2012-04-27 01:30 - 00000916 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008UA.job
2013-07-11 18:29 - 2013-07-11 18:29 - 01778079 ____A (Farbar) C:\Users\Hund\Desktop\FRST64.exe
2013-07-11 18:29 - 2013-07-03 02:20 - 00003924 ____A C:\Windows\System32\Tasks\avast! Emergency Update
2013-07-11 18:29 - 2013-07-03 02:20 - 00001933 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-07-11 18:29 - 2010-07-26 11:49 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2013-07-11 18:27 - 2010-11-09 23:07 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000UA.job
2013-07-11 18:22 - 2011-01-29 15:35 - 00001945 ____A C:\Windows\epplauncher.mif
2013-07-11 18:18 - 2010-07-25 19:50 - 01395734 ____A C:\Windows\WindowsUpdate.log
2013-07-11 18:10 - 2010-07-25 19:31 - 00013456 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-11 18:10 - 2010-07-25 19:31 - 00013456 ___AH C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-11 18:03 - 2010-10-24 02:56 - 00000000 ____D C:\Users\Hund\AppData\Local\Deployment
2013-07-11 18:00 - 2010-02-12 16:38 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-11 18:00 - 2010-02-12 16:38 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-11 17:57 - 2013-07-06 17:33 - 00026720 ____A C:\Windows\setupact.log
2013-07-11 17:57 - 2009-07-14 01:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-11 08:19 - 2009-07-20 14:25 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-07-11 07:59 - 2010-07-26 11:35 - 78185248 ____A (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-07-11 07:58 - 2013-07-06 02:05 - 00050144 ____A C:\Windows\IE10_main.log
2013-07-11 07:58 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 07:51 - 2013-07-05 19:54 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-11 07:37 - 2010-11-09 23:07 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000Core.job
2013-07-11 07:37 - 2010-08-15 15:53 - 00000000 ____D C:\Users\Hund\Documents\Outlook Files
2013-07-11 06:52 - 2013-07-11 06:52 - 02237968 ____A (Kaspersky Lab ZAO) C:\Users\Hund\Desktop\tdsskiller.exe
2013-07-11 02:09 - 2013-07-11 02:09 - 00003480 ____N C:\bootsqm.dat
2013-07-10 23:37 - 2013-07-10 23:37 - 00000580 ____A C:\Users\Hund\Desktop\defogger_disable.log
2013-07-10 23:37 - 2013-07-10 23:37 - 00000020 ____A C:\Users\Hund\defogger_reenable
2013-07-10 23:37 - 2010-07-25 19:32 - 00000000 ____D C:\Users\Hund
2013-07-10 23:34 - 2013-07-10 23:33 - 00050477 ____A C:\Users\Hund\Desktop\Defogger.exe
2013-07-10 23:17 - 2009-07-14 01:13 - 00871394 ____A C:\Windows\system32\PerfStringBackup.INI
2013-07-08 01:00 - 2013-07-08 00:57 - 00000000 ____D C:\314798d709542a0736b9
2013-07-08 00:48 - 2013-07-07 18:08 - 823132160 ____A C:\Users\Hund\Desktop\ubuntu-13.04-desktop-amd64.iso
2013-07-07 20:30 - 2012-04-27 01:30 - 00000864 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008Core.job
2013-07-07 19:22 - 2013-07-07 19:22 - 00013737 ____A C:\Users\Hund\Desktop\attach.txt
2013-07-07 19:20 - 2013-07-07 19:22 - 00017990 ____A C:\Users\Hund\Desktop\dds.txt
2013-07-07 19:02 - 2013-07-07 19:01 - 00688992 ____R (Swearware) C:\Users\Hund\Desktop\dds.com
2013-07-07 18:02 - 2013-07-07 18:05 - 01142835 ____A (pendrivelinux.com) C:\Users\Hund\Desktop\Universal-USB-Installer-1.9.3.6.exe
2013-07-07 16:43 - 2013-07-07 16:43 - 00000003 _RASH C:\win7ldr
2013-07-07 16:43 - 2013-07-07 16:42 - 00000000 ____D C:\Windows\loader
2013-07-07 16:42 - 2010-07-25 20:15 - 00203316 _RASH C:\grldr
2013-07-07 16:39 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\oobe
2013-07-07 16:35 - 2013-07-05 15:41 - 00000918 _RASH C:\ProgramData\ntuser.pol
2013-07-07 16:32 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2013-07-07 16:29 - 2013-07-07 16:29 - 00002269 ____A C:\Users\Hund\Desktop\DisableUSBCDDVD.adm
2013-07-07 15:50 - 2010-10-24 02:56 - 00000000 ____D C:\Users\Hund\AppData\Local\Apps\2.0
2013-07-07 15:26 - 2013-07-06 17:29 - 00001092 ____A C:\Windows\PFRO.log
2013-07-06 21:16 - 2013-07-06 21:16 - 00024637 ____A C:\ComboFix.txt
2013-07-06 21:16 - 2013-07-06 18:01 - 00000000 ____D C:\Combo-Fix18873C
2013-07-06 21:16 - 2013-07-06 00:10 - 00000000 ____D C:\Qoobox
2013-07-06 20:55 - 2009-07-13 22:34 - 00000215 ____A C:\Windows\system.ini
2013-07-06 17:56 - 2013-07-06 00:05 - 05087096 ____R (Swearware) C:\Users\Hund\Desktop\Combo-Fix.exe
2013-07-06 01:53 - 2013-07-06 00:11 - 00000000 ____D C:\Combo-Fix
2013-07-06 01:53 - 2009-07-13 23:20 - 00000000 __RHD C:\Users\Default
2013-07-06 01:38 - 2013-07-06 00:08 - 00000000 ____D C:\Windows\erdnt
2013-07-05 23:04 - 2013-07-05 14:02 - 00004358 ____A C:\Users\Hund\Desktop\Rkill.txt
2013-07-05 22:53 - 2013-07-05 22:53 - 00003854 ____A C:\Users\Hund\Desktop\RKreport[0]_D_07052013_225348.txt
2013-07-05 22:53 - 2013-07-05 22:53 - 00003640 ____A C:\Users\Hund\Desktop\RKreport[0]_S_07052013_225340.txt
2013-07-05 22:53 - 2013-07-05 16:05 - 00000000 ____D C:\Users\Hund\Desktop\RK_Quarantine
2013-07-05 20:52 - 2012-04-16 15:51 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-05 20:52 - 2011-10-21 17:55 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-05 20:51 - 2013-07-05 20:51 - 17018248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-07-05 19:54 - 2013-07-05 19:54 - 00003768 ____A C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-05 19:51 - 2009-10-09 13:58 - 00000000 ____D C:\Users\Hund\AppData\Local\Adobe
2013-07-05 19:38 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2013-07-05 16:12 - 2013-07-05 16:12 - 00004016 ____A C:\Users\Hund\Desktop\RKreport[0]_D_07052013_161218.txt
2013-07-05 16:10 - 2013-07-05 16:10 - 00003789 ____A C:\Users\Hund\Desktop\RKreport[0]_S_07052013_161025.txt
2013-07-05 16:09 - 2009-09-12 13:16 - 00000000 ___RD C:\Users\Hund\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-07-05 16:00 - 2013-07-05 16:00 - 00915456 ____A C:\Users\Hund\Desktop\RogueKiller.exe
2013-07-05 14:39 - 2011-10-18 18:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-05 14:37 - 2013-07-05 14:37 - 00001124 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-05 14:35 - 2013-07-05 14:34 - 10285040 ____A (Malwarebytes Corporation                                    ) C:\Users\Hund\Downloads\mbam-setup-1.75.0.1300.exe
2013-07-05 14:30 - 2013-07-05 14:30 - 00000000 ____A C:\Windows\system32\config\SOFTWARE6d938235
2013-07-05 14:03 - 2013-07-05 14:03 - 00000000 ____D C:\Users\Hund\Desktop\rkill
2013-07-05 14:00 - 2013-07-05 13:59 - 01814144 ____A (Bleeping Computer, LLC) C:\Users\Hund\Desktop\rkill.scr
2013-07-05 11:05 - 2013-07-05 11:04 - 00448512 ____A (OldTimer Tools) C:\Users\Hund\Desktop\TFC.exe
2013-07-04 13:15 - 2013-07-04 01:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-07-04 13:13 - 2012-04-26 16:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-04 11:46 - 2013-07-04 00:54 - 00000000 ____D C:\Users\Hund\Desktop\JavaRa
2013-07-04 04:24 - 2013-07-04 04:24 - 87556096 ____A C:\Windows\system32\config\SOFTWARE9d9ec41
2013-07-04 01:08 - 2013-07-04 01:08 - 00545954 ____A (Oleg N. Scherbakov) C:\Users\Hund\Desktop\JRT.exe
2013-07-04 00:54 - 2010-02-12 16:38 - 00003894 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-07-04 00:54 - 2010-02-12 16:38 - 00003642 ____A C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-07-03 21:53 - 2013-07-03 21:53 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-07-03 08:50 - 2011-01-29 15:35 - 00865610 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswVmm.sys.sum
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswSP.sys.sum
2013-07-03 02:32 - 2013-07-03 02:32 - 00000175 ____A C:\Windows\system32\Drivers\aswSnx.sys.sum
2013-07-03 02:32 - 2013-07-03 02:20 - 01030952 ____A (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-07-03 02:32 - 2013-07-03 02:20 - 00378944 ____A (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2013-07-03 02:32 - 2013-07-03 02:20 - 00189936 ____A C:\Windows\system32\Drivers\aswVmm.sys
2013-07-03 02:31 - 2010-08-01 19:17 - 00000000 ____D C:\Users\Hund\AppData\Roaming\vlc
2013-07-03 02:29 - 2010-08-09 00:11 - 00000000 ____D C:\Users\Hund\AppData\Roaming\Mozilla
2013-07-03 02:19 - 2013-07-02 21:05 - 00000000 ____D C:\Program Files\AVAST Software
2013-07-03 02:19 - 2013-07-02 21:03 - 00000000 ____D C:\ProgramData\AVAST Software
2013-07-03 02:17 - 2013-07-03 02:16 - 117478104 ____A C:\Users\Hund\Downloads\avast_free_antivirus_setup.exe
2013-07-02 23:12 - 2013-07-02 23:11 - 00488656 ____A C:\Windows\Minidump\070213-187091-01.dmp
2013-07-02 23:11 - 2010-11-17 12:35 - 00000000 ____D C:\Windows\Minidump
2013-07-02 22:37 - 2013-05-16 11:52 - 00000000 ____D C:\Users\Hund\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2013-07-02 22:37 - 2011-10-15 04:53 - 00000000 ____D C:\Users\Hund\Desktop\Flash Stuff
2013-07-02 22:37 - 2011-07-31 19:16 - 00000000 ____D C:\Users\Hund\AppData\Roaming\dvdcss
2013-07-02 22:37 - 2011-07-08 18:44 - 00000000 ____D C:\Users\Babbbaa
2013-07-02 22:37 - 2011-07-08 18:35 - 00000000 ____D C:\Users\Guest
2013-07-02 22:37 - 2011-04-07 23:58 - 00000000 ____D C:\Program Files (x86)\Yuna Software
2013-07-02 22:37 - 2011-01-31 00:23 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-02 22:37 - 2010-07-26 20:19 - 00000000 ____D C:\Users\Hund\AppData\Roaming\Azureus
2013-07-02 22:37 - 2010-07-26 18:03 - 00000000 ____D C:\Users\Hund\AppData\Local\Microsoft Help
2013-07-02 22:37 - 2009-07-13 23:20 - 00000000 __RSD C:\Windows\Media
2013-07-02 22:37 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-02 22:34 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2013-07-02 22:30 - 2013-05-16 11:52 - 00000000 ____D C:\Users\Hund\AppData\Roaming\Dropbox
2013-07-02 22:30 - 2011-01-31 00:23 - 00000000 ____D C:\Users\Hund\AppData\Roaming\Skype
2013-07-02 22:30 - 2010-09-26 21:39 - 00000000 ____D C:\Users\Hund\AppData\Local\Yahoo
2013-07-02 22:29 - 2011-01-31 00:23 - 00000000 ____D C:\ProgramData\Skype
2013-07-01 23:18 - 2013-07-01 23:18 - 00000005 ____A C:\Users\Hund\AppData\Roaming\mbam.context.scan
2013-06-30 16:28 - 2013-06-28 22:58 - 00000000 ____D C:\Users\Hund\Desktop\DocumentWebsite
2013-06-25 22:20 - 2012-08-23 00:24 - 00000000 ____D C:\ProgramData\Messenger Plus! for Skype
2013-06-16 16:18 - 2013-06-16 16:18 - 00000000 ____D C:\Users\Hund\Desktop\Collision
2013-06-13 19:08 - 2013-06-13 19:08 - 00645654 ____A C:\Users\Hund\Desktop\Outlook2.bmp
2013-06-13 19:08 - 2013-06-13 19:08 - 00561202 ___AT C:\Users\Hund\Desktop\Outlook1.bmp

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-06-23 00:29

==================== End Of Log ============================

 

 

 

 

Here is the Addition Log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-07-2013 02
Ran by Hund at 2013-07-11 18:43:33
Running from C:\Users\Hund\Desktop
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

   
3 ACM Codec
Acrobat.com (x32 Version: 1.6.65)
Adobe AIR (x32 Version: 2.5.1.17730)
Adobe Community Help (x32 Version: 3.4.980)
Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (x32 Version: 11.7.700.224)
Adobe Flash Professional CS5.5 (x32 Version: 11.5)
Adobe Reader X (10.1.7) (x32 Version: 10.1.7)
Adobe Shockwave Player 12.0 (x32 Version: 12.0.0.112)
Antares Autotune VST RTAS TDM v5.08 (x32)
Apple Application Support (x32 Version: 1.5.1)
Apple Software Update (x32 Version: 2.1.2.120)
Application Verifier (x64) (Version: 4.1.1078)
ASIO4ALL (x32)
Audacity 1.3.13 (Unicode) (x32)
Autobahn Raser - Das Spiel zum Film (x32 Version: 1.0.0.0)
avast! Free Antivirus (x32 Version: 8.0.1489.0)
AviSynth 2.5 (x32)
AVStoDVD 2.3.1 (x32 Version: 2.3.1)
Belkin Setup and Router Monitor (x32)
Bonjour (Version: 2.0.5.0)
CambridgeSoft Activation Client (x32 Version: 11.0)
CambridgeSoft ChemDraw Ultra 11.0 (x32 Version: 11.0)
CodeBlocks (HKCU Version: 10.05)
ConvertHelper 2.2 (x32)
D3DX10 (x32 Version: 15.4.2368.0902)
Debugging Tools for Windows (x64) (Version: 6.12.2.633)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32)
Direct DiscRecorder (x32 Version: 1.00.0000)
DivX Setup (x32 Version: 2.5.0.8)
DjVuLibre+DjView (x32 Version: 3.5.24+4.7)
Dolby Control Center (Version: 2.2.1)
Dropbox (HKCU Version: 2.0.12)
DVD MovieFactory for TOSHIBA (x32 Version: 7.0.0)
DVD Region Killer (x32)
DwimPerl version 0.07 (x32 Version: 0.07)
EES - Engineering Equation Solver (x32)
FL Studio 8 (x32)
GameRanger (HKCU)
GIMP 2.6.11 (x32 Version: 2.6.11)
Google Earth Plug-in (x32 Version: 7.0.3.8542)
Google Talk Plugin (x32 Version: 3.19.1.13088)
Google Talk Plugin (x32 Version: 4.1.3.13728)
Google Update Helper (x32 Version: 1.3.21.149)
Haali Media Splitter (x32)
HP Deskjet 1000 J110 series Basic Device Software (Version: 22.50.231.0)
HP Deskjet 1000 J110 series Help (x32 Version: 140.0.65.65)
HP Update (x32 Version: 5.002.006.003)
HTC Driver Installer (x32 Version: 2.0.7.016)
IL Download Manager (x32)
ImgBurn (x32 Version: 2.5.1.0)
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless WiFi Software (Version: 12.04.0000)
Intel® Matrix Storage Manager
iTunes (Version: 10.2.2.12)
Java 7 Update 11 (64-bit) (Version: 7.0.110)
Java 7 Update 21 (x32 Version: 7.0.210)
Java Auto Updater (x32 Version: 2.1.9.5)
Java SE Development Kit 7 Update 11 (64-bit) (Version: 1.7.0.110)
Java™ 6 Update 37 (x32 Version: 6.0.370)
JonDo (x32)
Juniper Networks Network Connect 7.1.0 (x32 Version: 7.1.0.20169)
Juniper Networks Network Connect 7.2.0 (x32 Version: 7.2.0.21397)
Juniper Networks Network Connect 7.3.1 (x32 Version: 7.3.1.21949)
Juniper Networks, Inc. Setup Client (HKCU Version: 7.3.1.26369)
Juniper Networks, Inc. Setup Client 64-bit Activex Control (Version: 2.1.1.1)
LAME v3.98.3 for Audacity (x32)
Lexmark X6100 Series
LightScribe  1.4.124.1 (x32 Version: 1.4.124.1)
LinuxLive USB Creator (x32 Version: 2.8)
Magic ISO Maker v5.5 (build 0281) (x32)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Maple 13
Maple 13 (x32 Version: 13.0.0.0)
Maple 14
Maple 14 (x32 Version: 14.0.0.0)
Maple Toolbox (x32 Version: 14.0.0.0)
Mathcad 15 M010 (x32 Version: 15.0.1.0)
MATLAB R2010b (Version: 7.11)
MATLAB R2011a (Version: 7.12)
Messenger Plus! 5 (x32 Version: 5.50.0.761)
Messenger Plus! for Skype (x32 Version: 0.7.0.75)
MestReC 4.7.0 (x32)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile DEU Language Pack (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (x32 Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Application Error Reporting (x32 Version: 12.0.6012.5000)
Microsoft Help Viewer 1.0 (Version: 1.0.30319)
Microsoft Motocross Madness 2 (x32)
Microsoft Office 2010 Service Pack 1 (SP1) (x32)
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2008 (64-bit)
Microsoft SQL Server 2008 Browser (x32 Version: 10.1.2531.0)
Microsoft SQL Server 2008 Common Files (Version: 10.0.1600.22)
Microsoft SQL Server 2008 Common Files (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Services (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Shared (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Native Client (Version: 10.1.2531.0)
Microsoft SQL Server 2008 RsFx Driver (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Setup Support Files  (Version: 10.1.2731.0)
Microsoft SQL Server Compact 3.5 SP2 ENU (x32 Version: 3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (Version: 3.5.8080.0)
Microsoft SQL Server VSS Writer (Version: 10.1.2531.0)
Microsoft Visual C++  Compilers 2010 Standard - enu - x64 (Version: 10.0.30319)
Microsoft Visual C++  Compilers 2010 Standard - enu - x86 (x32 Version: 10.0.30319)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (x32 Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (x32 Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (x32 Version: 10.0.30319)
Microsoft Visual C++ 2010 Express - ENU (x32 Version: 10.0.30319)
Microsoft Visual Studio 2010 Express Prerequisites x64 - ENU (Version: 10.0.30319)
Microsoft Windows Performance Toolkit (Version: 4.8.0)
Microsoft Windows SDK .NET Framework Tools (30514) (Version: 7.1.30514)
Microsoft Windows SDK for Visual Studio .NET 4.0 Framework Tools (Version: 7.1.30514)
Microsoft Windows SDK for Windows 7 (7.1) (Version: 7.1.30514)
Microsoft Windows SDK for Windows 7 (7.1) (Version: 7.1.7600.0.30514)
Microsoft Windows SDK for Windows 7 Common Utilities (30514) (Version: 7.1.30514)
Microsoft Windows SDK for Windows 7 Headers and Libraries (30514) (Version: 7.1.30514)
Microsoft Windows SDK for Windows 7 Samples (30514) (Version: 7.1.30514)
Microsoft Windows SDK for Windows 7 Utilities for Win32 Development (30514) (Version: 7.1.30514)
Microsoft Windows SDK Intellisense and Reference Assemblies (30514) (Version: 7.1.30514)
Microsoft Windows SDK MSHelp (30514) (Version: 7.1.30514)
Microsoft Windows SDK Net Fx Interop Headers And Libraries (30514) (Version: 7.1.30514)
Microsoft Works (x32 Version: 9.7.0621)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0)
Microsoft_VC80_ATL_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (x32 Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (x32 Version: 1.00.0000)
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000)
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (x32 Version: 1.00.0000)
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFCLOC_x86 (x32 Version: 1.00.0000)
Mozilla Firefox 22.0 (x86 en-US) (x32 Version: 22.0)
Mozilla Maintenance Service (x32 Version: 22.0)
MSVCRT (x32 Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB941833) (x32 Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
NetZero Internet (x32 Version: 8.7.7.0)
Netzero Internet Access Installer (x32 Version: 1.0.Q1.09)
No Man's Land (x32)
PDF Settings CS5 (x32 Version: 10.0)
Picasa 3 (x32 Version: 3.8)
PlayReady PC runtime (Version: 1)
PoiZone (x32)
Polymath 5.1 (x32 Version: 5.10.0233)
QuickTime (x32 Version: 7.69.80.9)
Realtek 8136 8168 8169 Ethernet Driver (x32 Version: 1.00.0004)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6662)
RICOH R5U230 Media Driver ver.2.02.02.01 (x32 Version: 2.02.02.01)
Service Pack 1 for SQL Server 2008 (KB968369) (64-bit) (Version: 10.1.2531.0)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002) (x32 Version: 1.0.0)
SimUText (x32 Version: 1.5.3)
sipgate phone (HKCU Version: 1.0.0.27)
Skype Launcher (x32 Version: 1.0)
Skype™ 6.3 (x32 Version: 6.3.105)
Spelling Dictionaries Support For Adobe Reader 9 (x32 Version: 9.0.0)
Sql Server Customer Experience Improvement Program (Version: 10.1.2531.0)
Stronghold (x32)
swMSM (x32 Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 12.2.10.0)
The Settlers III Gold Edition (x32)
The Sims™ 3 (x32 Version: 1.17.60)
The Sims™ 3 Late Night (x32 Version: 6.0.81)
TOSHIBA Agreement Notification Utility (x32 Version: 1.0.11.0)
Toshiba Application Installer (x32 Version: 9.0.0.4)
TOSHIBA Assist (x32 Version: 3.00.08)
TOSHIBA Disc Creator (Version: 2.0.1.3 for x64)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Extended Tiles for Windows Mobility Center (x32 Version: )
TOSHIBA Face Recognition (Version: 3.0.4.64)
TOSHIBA Face Recognition (x32 Version: 3.0.4.64)
TOSHIBA Hardware Setup (x32 Version: 2.00.03)
TOSHIBA HDD Protection (Version: 2.1.2.9)
TOSHIBA HDD/SSD Alert (Version: 3.0.64.0)
TOSHIBA HDD/SSD Alert (x32 Version: 3.0.64.0)
TOSHIBA Internal Modem Region Select Utility (Version: 2.3.0.00)
TOSHIBA Internal Modem Region Select Utility (x32 Version: )
TOSHIBA PC Health Monitor (Version: 1.3.1.64)
Toshiba Quality Application (x32 Version: 1.001.0000)
TOSHIBA Recovery Disc Creator (Version: 2.0.0.2 for x64)
Toshiba Resources Page (x32 Version: 1.0.2.1)
TOSHIBA SD Memory Utilities (Version: 1.9.1.12)
TOSHIBA Service Station (x32 Version: 2.0.26)
TOSHIBA Software Modem
TOSHIBA Speech System Applications (x32)
TOSHIBA Speech System SR Engine(U.S.) Version1.0 (x32)
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 (x32)
TOSHIBA Supervisor Password (x32 Version: 2.00.02)
TOSHIBA USB Sleep and Charge Utility (x32 Version: 1.2.1.0)
TOSHIBA Value Added Package (Version: 1.2.8.64)
TOSHIBA Value Added Package (x32 Version: 1.2.8.64)
TOSHIBA Web Camera Application (x32 Version: 1.0.1.8)
Toxic Biohazard (x32)
Unity Web Player (HKCU Version: )
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (x32 Version: 1)
Update for Microsoft Office 2010 (KB2494150) (x32)
Update for Microsoft Office 2010 (KB2553065) (x32)
Update for Microsoft Office 2010 (KB2553092) (x32)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2566458) (x32)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition (x32)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition (x32)
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition (x32)
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition (x32)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (x32)
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition (x32)
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition (x32)
VC80CRTRedist - 8.0.50727.4053 (x32 Version: 1.1.0)
VLC media player 2.0.4 (x32 Version: 2.0.4)
Vuze (x32 Version: 4.6)
Windows 7 Codec Pack 2.6.1 (x32)
Windows Driver Package - TOSHIBA (FwLnk) System  (11/19/2006 1.0.0.3) (Version: 11/19/2006 1.0.0.3)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (x32 Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Messenger (x32 Version: 15.4.3538.0513)
Windows Live Photo Common (x32 Version: 15.4.3502.0922)
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109)
Windows Live SOXE (x32 Version: 15.4.3502.0922)
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922)
Windows Live UX Platform (x32 Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109)
Windows Media Player Firefox Plugin (x32 Version: 1.0.0.8)
Windows Movie Maker 2.6 (x32 Version: 2.6.4037.0)
Windows SDK IntellisenseNFX (x32 Version: 7.1.30514)
WinRAR archiver
Yahoo! Messenger (x32)
Yahoo! Software Update (x32)

==================== Restore Points  =========================

06-07-2013 06:00:53 Windows Update
07-07-2013 02:51:26 Windows Update
08-07-2013 05:29:16 Windows Update
11-07-2013 03:21:36 Windows Update
11-07-2013 11:40:00 Windows Update

==================== Hosts content: ==========================

2013-02-22 17:17 - 2013-07-06 01:29 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0907A3A8-F352-4CC7-A9AF-1892E0D75805} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe No File
Task: {0AEAFAF6-F116-4A60-AFB4-C8B755A6E975} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {1920043F-4ABF-443C-B5F3-640DAA476964} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task
Task: {2B76B9F3-8167-4D59-9D49-743970F1F46F} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => C:\program files\windows defender\MpCmdRun.exe [2009-07-13] (Microsoft Corporation)
Task: {2C2CC386-9E43-4375-BF6B-28EFF797B00E} - System32\Tasks\{68C90D97-C9EF-4F50-A773-EA867CBAB614} => C:\Users\Hund\Downloads\Settlers, The\LOADPATS.EXE No File
Task: {2C52C88D-82D3-4FBE-B807-1520BD29A421} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2013-05-09] (AVAST Software)
Task: {2F876BD8-3DF0-4193-AD51-67BA76D336E3} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-05] (Adobe Systems Incorporated)
Task: {53497D80-782D-4B68-A6CB-7B5F90E39DE6} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => C:\program files\windows defender\MpCmdRun.exe [2009-07-13] (Microsoft Corporation)
Task: {68285341-00FF-4BC1-BAD4-EA3C713BE041} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-12] (Google Inc.)
Task: {712C6861-2B14-4E72-92BA-22B6921FE2B7} - System32\Tasks\Microsoft\Windows\Wired\GatherWiredInfo => C:\Windows\system32\gatherWiredInfo.vbs No File
Task: {718F10D5-9B5E-4FC5-94CB-38CDC1FB8982} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008Core => C:\Users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-27] (Google Inc.)
Task: {7EC7D10F-D6EA-4996-9D43-63C1120D7925} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\Windows\ehome\ehrec.exe No File
Task: {8798EA1F-521D-4E4D-A9D8-2B48C15AE7CC} - System32\Tasks\{5E199DBE-24B8-4783-937B-E3F87F34C709} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2013-02-28] (Skype Technologies S.A.)
Task: {9A8F444C-D8A8-44A4-B3A2-E6DE4F23D149} - System32\Tasks\{3E5BDC79-C73E-46DE-8D05-128CC442A788} => C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2013-05-16] (Microsoft Corporation)
Task: {9CB41F60-313A-470F-8DD7-DCCA3238FC3B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-02-12] (Google Inc.)
Task: {A452DB94-D593-4C77-A1DE-A7D1E0DE1A2C} - System32\Tasks\WPD\SqmUpload_S-1-5-21-3284609583-1217171543-3846507198-1008 => C:\Windows\system32\rundll32.exe [2009-07-13] (Microsoft Corporation)
Task: {B314280B-26DB-4CB5-BB5F-3DA74B629FD0} - System32\Tasks\{09B99539-86F2-43A3-B2CA-4965730FF594} => C:\Users\Hund\Downloads\Settlers, The\LOADPATS.EXE No File
Task: {BCCEE8CE-20F1-4594-A6ED-F6F66926C915} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000UA => C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-09] (Google Inc.)
Task: {CD900127-CC75-4E9E-9E86-EAFCCA0DC0FB} - System32\Tasks\{B3FA53D4-E39E-4B51-BF54-73F0DB170C56} => C:\SETUP.EXE No File
Task: {D01C461F-16E2-48D3-AB83-C82FCE845806} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000Core => C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-09] (Google Inc.)
Task: {E35DDB16-AE4B-4F8D-A933-DD5673D173E7} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008UA => C:\Users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-27] (Google Inc.)
Task: {E91D6474-70CC-42BE-80FF-8BED8AF557ED} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs No File
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000Core.job => C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1000UA.job => C:\Users\Hund\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008Core.job => C:\Users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3284609583-1217171543-3846507198-1008UA.job => C:\Users\Babbbaa\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/11/2013 06:08:08 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/11/2013 07:10:59 AM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/11/2013 06:38:33 AM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/10/2013 11:23:40 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/07/2013 05:12:18 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/07/2013 03:59:46 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/06/2013 07:09:48 PM) (Source: Application Error) (User: )
Description: Faulting application name: PEV.exe, version: 0.0.0.0, time stamp: 0x4e06cfe8
Faulting module name: PEV.exe, version: 0.0.0.0, time stamp: 0x4e06cfe8
Exception code: 0x40000015
Fault offset: 0x0008d1c0
Faulting process id: 0x8ac
Faulting application start time: 0xPEV.exe0
Faulting application path: PEV.exe1
Faulting module path: PEV.exe2
Report Id: PEV.exe3

Error: (07/06/2013 05:46:43 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/06/2013 01:02:40 AM) (Source: Application Error) (User: )
Description: Faulting application name: PEV.exe, version: 0.0.0.0, time stamp: 0x4e06cfe8
Faulting module name: PEV.exe, version: 0.0.0.0, time stamp: 0x4e06cfe8
Exception code: 0x40000015
Fault offset: 0x0008d1c0
Faulting process id: 0xfc4
Faulting application start time: 0xPEV.exe0
Faulting application path: PEV.exe1
Faulting module path: PEV.exe2
Report Id: PEV.exe3

Error: (07/05/2013 02:59:40 PM) (Source: TOSHIBA Service Station) (User: )
Description: TSS Load: could not communicate with TMachInfo service


System errors:
=============
Error: (07/11/2013 05:57:39 PM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275

Error: (07/11/2013 05:57:39 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\ElbyCDIO.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/11/2013 05:57:12 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\RegKill.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/11/2013 08:20:32 AM) (Source: Microsoft Antimalware) (User: )
Description: %%8604.2.0223.01.153.1481.07%%859NT AUTHORITYSYSTEMS-1-5-181%%8001%%8031.1.9607.00x8024001eAn unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 2%%853http://www.microsoft.com

Error: (07/11/2013 08:20:32 AM) (Source: Microsoft Antimalware) (User: )
Description: %%8604.2.0223.01.153.1481.07%%859NT AUTHORITYSYSTEMS-1-5-181%%8001%%8031.1.9607.00x8024001eAn unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 2%%853http://www.microsoft.com

Error: (07/11/2013 07:38:18 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (07/11/2013 06:58:47 AM) (Source: Service Control Manager) (User: )
Description: The ElbyCDIO Driver service failed to start due to the following error:
%%1275

Error: (07/11/2013 06:58:47 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\ElbyCDIO.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/11/2013 06:57:30 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\RegKill.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (07/11/2013 06:56:02 AM) (Source: Microsoft Antimalware) (User: )
Description: %%8604.2.0223.01.153.1481.07%%859NT AUTHORITYSYSTEMS-1-5-181%%8001%%8031.1.9607.00x8024001eAn unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 2%%853http://www.microsoft.com


Microsoft Office Sessions:
=========================
Error: (07/11/2013 06:08:08 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/11/2013 07:10:59 AM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/11/2013 06:38:33 AM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/10/2013 11:23:40 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/07/2013 05:12:18 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/07/2013 03:59:46 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/06/2013 07:09:48 PM) (Source: Application Error)(User: )
Description: PEV.exe0.0.0.04e06cfe8PEV.exe0.0.0.04e06cfe8400000150008d1c08ac01ce7a9d9f02fa1dC:\Combo-Fix18873C\PEV.exeC:\Combo-Fix18873C\PEV.exe272811ea-e691-11e2-945a-001e33d715c4

Error: (07/06/2013 05:46:43 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service

Error: (07/06/2013 01:02:40 AM) (Source: Application Error)(User: )
Description: PEV.exe0.0.0.04e06cfe8PEV.exe0.0.0.04e06cfe8400000150008d1c0fc401ce7a05fead906fC:\Combo-Fix\PEV.exeC:\Combo-Fix\PEV.exe48736be2-e5f9-11e2-a03a-001e33d715c4

Error: (07/05/2013 02:59:40 PM) (Source: TOSHIBA Service Station)(User: )
Description: TSS Load: could not communicate with TMachInfo service


CodeIntegrity Errors:
===================================
  Date: 2013-07-06 01:25:06.102
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Combo-Fix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-07-06 01:25:05.970
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Combo-Fix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2010-07-25 18:51:14.798
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:51:14.782
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:51:14.782
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:51:14.767
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:51:14.751
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:50:23.958
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:50:23.926
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-07-25 18:50:23.911
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 38%
Total physical RAM: 3963.98 MB
Available physical RAM: 2454.63 MB
Total Pagefile: 7926.17 MB
Available Pagefile: 6122.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (TI100343V0F) (Fixed) (Total:286.38 GB) (Free:68.85 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 1384F217)
Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
Partition 2: (Active) - (Size=286 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=17)

==================== End Of Log ============================

 



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 11 July 2013 - 08:00 PM

Hi Merlin,

Let's do these things next.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM-x32\...\Run: [] -  [x]
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File
Tcpip\..\Interfaces\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B}: [NameServer]130.215.32.18 130.215.39.18
Task: {0907A3A8-F352-4CC7-A9AF-1892E0D75805} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe No File
Task: {2C2CC386-9E43-4375-BF6B-28EFF797B00E} - System32\Tasks\{68C90D97-C9EF-4F50-A773-EA867CBAB614} => C:\Users\Hund\Downloads\Settlers, The\LOADPATS.EXE No File
Task: {712C6861-2B14-4E72-92BA-22B6921FE2B7} - System32\Tasks\Microsoft\Windows\Wired\GatherWiredInfo => C:\Windows\system32\gatherWiredInfo.vbs No File
Task: {7EC7D10F-D6EA-4996-9D43-63C1120D7925} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\Windows\ehome\ehrec.exe No File
Task: {B314280B-26DB-4CB5-BB5F-3DA74B629FD0} - System32\Tasks\{09B99539-86F2-43A3-B2CA-4965730FF594} => C:\Users\Hund\Downloads\Settlers, The\LOADPATS.EXE No File
Task: {CD900127-CC75-4E9E-9E86-EAFCCA0DC0FB} - System32\Tasks\{B3FA53D4-E39E-4B51-BF54-73F0DB170C56} => C:\SETUP.EXE No File
Task: {E91D6474-70CC-42BE-80FF-8BED8AF557ED} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs No File
Folder: C:\Windows\system32\config\SOFTWARE6d938235
Folder: C:\Windows\system32\config\SOFTWARE9d9ec41
Folder: C:\314798d709542a0736b9
File: C:\Windows\system32\drivers\tcpip.sys
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Farbar log
  • AdwCleaner log
  • Junkware log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 12 July 2013 - 12:15 PM

Hi Gary,

 

Thanks again for your continued help.

 

Problems I had: JRT did not complete. It took hours to run and then crashed (I did disable my AV and Firewall)

 

Computer status: Still very slow, NT Kernel & System is taking up 100% CPU, "duh dong" sounds still on and off.

 

Merlin

 

Here is the Fix log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-07-2013 02
Ran by Hund at 2013-07-11 23:16:24 Run:1
Running from C:\Users\Hund\Desktop
Boot Mode: Normal
==============================================
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A6AF07A1-9639-46D0-BE66-0F92CB42FA0B}\\NameServer => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0907A3A8-F352-4CC7-A9AF-1892E0D75805} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0907A3A8-F352-4CC7-A9AF-1892E0D75805} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\mcupdate_scheduled => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2C2CC386-9E43-4375-BF6B-28EFF797B00E} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2C2CC386-9E43-4375-BF6B-28EFF797B00E} => Key not found.
C:\Windows\System32\Tasks\{68C90D97-C9EF-4F50-A773-EA867CBAB614} => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{68C90D97-C9EF-4F50-A773-EA867CBAB614} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{712C6861-2B14-4E72-92BA-22B6921FE2B7} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{712C6861-2B14-4E72-92BA-22B6921FE2B7} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Wired\GatherWiredInfo => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Wired\GatherWiredInfo => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7EC7D10F-D6EA-4996-9D43-63C1120D7925} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7EC7D10F-D6EA-4996-9D43-63C1120D7925} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center\StartRecording => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Media Center\StartRecording => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B314280B-26DB-4CB5-BB5F-3DA74B629FD0} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B314280B-26DB-4CB5-BB5F-3DA74B629FD0} => Key not found.
C:\Windows\System32\Tasks\{09B99539-86F2-43A3-B2CA-4965730FF594} => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{09B99539-86F2-43A3-B2CA-4965730FF594} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CD900127-CC75-4E9E-9E86-EAFCCA0DC0FB} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CD900127-CC75-4E9E-9E86-EAFCCA0DC0FB} => Key not found.
C:\Windows\System32\Tasks\{B3FA53D4-E39E-4B51-BF54-73F0DB170C56} => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B3FA53D4-E39E-4B51-BF54-73F0DB170C56} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E91D6474-70CC-42BE-80FF-8BED8AF557ED} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E91D6474-70CC-42BE-80FF-8BED8AF557ED} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Wireless\GatherWirelessInfo => Key not found.
 
========================= Folder: C:\Windows\system32\config\SOFTWARE6d938235 ========================
 
C:\Windows\system32\config\SOFTWARE6d938235 => Is not a directory.
====== End of Folder: ======
 
========================= Folder: C:\Windows\system32\config\SOFTWARE9d9ec41 ========================
 
C:\Windows\system32\config\SOFTWARE9d9ec41 => Is not a directory.
====== End of Folder: ======
 
========================= Folder: C:\314798d709542a0736b9 ========================
 
 
====== End of Folder: ======
 
========================= File: C:\Windows\system32\drivers\tcpip.sys ========================
 
MD5: 509383E505C973ED7534A06B3D19688D
Creation and modification date: 2011-04-22 19:33 - 2010-11-20 09:33
Size: 1924480
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: tcpip.sys
Original Name: tcpip.sys.mui
Product Name: Microsoft® Windows® Operating System
Description: TCP/IP Driver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Version: 6.1.7600.16385
Copyright: © Microsoft Corporation. All rights reserved.
 
====== End Of File: ======
 
 
==== End of Fixlog ====

 

 

Here is the AdwCleaner Log:

 

# AdwCleaner v2.305 - Logfile created 07/11/2013 at 23:29:06
# Updated 11/07/2013 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (64 bits)
# User : Hund - MAN
# Boot Mode : Normal
# Running from : C:\Users\Hund\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
Folder Deleted : C:\ProgramData\ParetoLogic
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\14919ea49a8f3b4aa3cf1058d9a64cec
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Software
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16490
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://de.ask.com/?l=dis&o=15768 --> hxxp://www.google.com
 
-\\ Mozilla Firefox v22.0 (en-US)
 
File : C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\9sbsjj0a.HeinzOGames\prefs.js
 
[OK] File is clean.
 
File : C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\eihrcm4o.Normall\prefs.js
 
[OK] File is clean.
 
File : C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\osn2bkst.default\prefs.js
 
Deleted : user_pref("browser.startup.homepage", "hxxp://de.ask.com/?l=dis&o=15768");
Deleted : user_pref("tweaktube.pref.cacheInfo", "({'hxxp://wedata.net/databases/AutoPagerize/items.json':{url:[...]
 
File : C:\Users\Hund\AppData\Roaming\Mozilla\Firefox\Profiles\tqn2v9pb.Interesting\prefs.js
 
[OK] File is clean.
 
File : C:\Users\Babbbaa\AppData\Roaming\Mozilla\Firefox\Profiles\0qrqs3xs.default\prefs.js
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [2189 octets] - [11/07/2013 23:29:06]
 
########## EOF - C:\AdwCleaner[S1].txt - [2249 octets] ##########
 

 

 

 

 

 



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 12 July 2013 - 02:55 PM

Hi Merlin,

Thanks for the information. Please do this now.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:dir
C:\Windows\system32\config /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Systemlook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 13 July 2013 - 10:46 PM

Hi Gary,

 

Sorry for the late reply, everything just takes hours to do on my computer. Below is the SystemLook log.

~Merlin

 

SystemLook 30.07.11 by jpshortstuff
Log created at 23:15 on 13/07/2013 by Hund
Administrator - Elevation successful

========== dir ==========

C:\Windows\system32\config - Parameters: "/s"

---Files---
BCD-Template    --a---- 28672 bytes    [05:32 14/07/2009]    [02:28 26/07/2010]
BCD-Template.LOG    --ahs-- 25600 bytes    [05:38 14/07/2009]    [02:28 26/07/2010]
components    --a---- 38797312 bytes    [02:34 14/07/2009]    [03:10 14/07/2013]
COMPONENTS.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
COMPONENTS.LOG1    --ah--- 262144 bytes    [02:34 14/07/2009]    [03:10 14/07/2013]
COMPONENTS.LOG2    --ah--- 0 bytes    [02:34 14/07/2009]    [02:34 14/07/2009]
COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf    --ahs-- 65536 bytes    [04:54 14/07/2009]    [12:36 27/07/2010]
COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [04:54 14/07/2009]    [16:22 26/07/2010]
COMPONENTS{016888b9-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [04:54 14/07/2009]    [12:36 27/07/2010]
components{047098a0-e38a-11e2-90f5-001e65489c9a}.TxR.0.regtrans-ms    --ahs-- 1048576 bytes    [05:27 08/07/2013]    [05:27 08/07/2013]
components{047098a0-e38a-11e2-90f5-001e65489c9a}.TxR.1.regtrans-ms    --ahs-- 1048576 bytes    [05:27 08/07/2013]    [05:27 08/07/2013]
components{047098a0-e38a-11e2-90f5-001e65489c9a}.TxR.2.regtrans-ms    --ahs-- 1048576 bytes    [05:27 08/07/2013]    [05:27 08/07/2013]
components{047098a0-e38a-11e2-90f5-001e65489c9a}.TxR.blf    --ahs-- 65536 bytes    [05:27 08/07/2013]    [05:27 08/07/2013]
components{047098a1-e38a-11e2-90f5-001e65489c9a}.TM.blf    --ahs-- 65536 bytes    [02:56 03/07/2013]    [02:49 08/07/2013]
components{047098a1-e38a-11e2-90f5-001e65489c9a}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [02:56 03/07/2013]    [02:49 08/07/2013]
components{047098a1-e38a-11e2-90f5-001e65489c9a}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [02:56 03/07/2013]    [02:56 03/07/2013]
components{0c1a0256-09f6-11e2-a2c6-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [11:56 29/09/2012]    [19:11 06/01/2013]
components{0c1a0256-09f6-11e2-a2c6-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [11:56 29/09/2012]    [03:21 12/12/2012]
components{0c1a0256-09f6-11e2-a2c6-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [11:56 29/09/2012]    [19:11 06/01/2013]
components{1170b061-c995-11df-87ce-e811aa879423}.TM.blf    --ahs-- 65536 bytes    [01:37 27/09/2010]    [21:11 10/10/2010]
components{1170b061-c995-11df-87ce-e811aa879423}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [01:37 27/09/2010]    [21:11 10/10/2010]
components{1170b061-c995-11df-87ce-e811aa879423}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [01:37 27/09/2010]    [01:47 27/09/2010]
components{15a33cc3-e9d7-11e2-acf3-001e65489c9a}.TM.blf    --ahs-- 65536 bytes    [03:08 11/07/2013]    [03:10 14/07/2013]
components{15a33cc3-e9d7-11e2-acf3-001e65489c9a}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [03:08 11/07/2013]    [03:10 14/07/2013]
components{15a33cc3-e9d7-11e2-acf3-001e65489c9a}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [03:08 11/07/2013]    [03:54 11/07/2013]
components{3b1f0eed-2938-11e1-903b-001e65489c9a}.TM.blf    --ahs-- 65536 bytes    [05:26 18/12/2011]    [23:57 22/12/2011]
components{3b1f0eed-2938-11e1-903b-001e65489c9a}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [05:26 18/12/2011]    [23:57 22/12/2011]
components{3b1f0eed-2938-11e1-903b-001e65489c9a}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [05:26 18/12/2011]    [05:37 18/12/2011]
components{55edd939-b9f1-11df-8aa7-d8e87b99e822}.TM.blf    --ahs-- 65536 bytes    [20:03 06/09/2010]    [06:36 25/09/2010]
components{55edd939-b9f1-11df-8aa7-d8e87b99e822}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [20:03 06/09/2010]    [06:36 25/09/2010]
components{55edd939-b9f1-11df-8aa7-d8e87b99e822}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [20:03 06/09/2010]    [20:13 06/09/2010]
components{60315505-d514-11df-886e-9c4ea958331c}.TM.blf    --ahs-- 65536 bytes    [09:05 11/10/2010]    [20:43 14/10/2010]
components{60315505-d514-11df-886e-9c4ea958331c}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [09:05 11/10/2010]    [20:43 14/10/2010]
components{60315505-d514-11df-886e-9c4ea958331c}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [09:05 11/10/2010]    [09:15 11/10/2010]
components{78782605-7231-11e2-97b7-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [21:04 08/02/2013]    [00:22 02/07/2013]
components{78782605-7231-11e2-97b7-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [21:04 08/02/2013]    [00:22 02/07/2013]
components{78782605-7231-11e2-97b7-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [21:04 08/02/2013]    [22:20 31/05/2013]
components{a3f80bc9-6d78-11e0-9614-806e6f6e6963}.TM.blf    --ahs-- 65536 bytes    [07:10 23/04/2011]    [04:47 18/12/2011]
components{a3f80bc9-6d78-11e0-9614-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [07:10 23/04/2011]    [21:55 04/12/2011]
components{a3f80bc9-6d78-11e0-9614-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [07:10 23/04/2011]    [04:47 18/12/2011]
components{ae532588-d20a-11e1-85f5-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [04:56 20/07/2012]    [18:21 28/09/2012]
components{ae532588-d20a-11e1-85f5-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [04:56 20/07/2012]    [18:21 28/09/2012]
components{ae532588-d20a-11e1-85f5-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [04:56 20/07/2012]    [04:56 20/07/2012]
components{b09d685e-2cfc-11e1-a162-001e65489c9a}.TM.blf    --ahs-- 65536 bytes    [00:33 23/12/2011]    [02:21 18/07/2012]
components{b09d685e-2cfc-11e1-a162-001e65489c9a}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [00:33 23/12/2011]    [02:21 18/07/2012]
components{b09d685e-2cfc-11e1-a162-001e65489c9a}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [00:33 23/12/2011]    [05:29 29/05/2012]
components{b9ea9589-d81a-11df-8952-b70739c3a020}.TxR.0.regtrans-ms    --ahs-- 1048576 bytes    [23:34 22/04/2011]    [23:34 22/04/2011]
components{b9ea9589-d81a-11df-8952-b70739c3a020}.TxR.1.regtrans-ms    --ahs-- 1048576 bytes    [23:34 22/04/2011]    [23:34 22/04/2011]
components{b9ea9589-d81a-11df-8952-b70739c3a020}.TxR.2.regtrans-ms    --ahs-- 1048576 bytes    [23:34 22/04/2011]    [23:34 22/04/2011]
components{b9ea9589-d81a-11df-8952-b70739c3a020}.TxR.blf    --ahs-- 65536 bytes    [23:34 22/04/2011]    [23:34 22/04/2011]
components{b9ea958a-d81a-11df-8952-b70739c3a020}.TM.blf    --ahs-- 65536 bytes    [08:29 15/10/2010]    [23:31 22/04/2011]
components{b9ea958a-d81a-11df-8952-b70739c3a020}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [08:29 15/10/2010]    [23:31 22/04/2011]
components{b9ea958a-d81a-11df-8952-b70739c3a020}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [08:29 15/10/2010]    [07:11 19/04/2011]
components{c31a794f-99d5-11df-a807-801d6519312b}.TM.blf    --ahs-- 65536 bytes    [23:25 27/07/2010]    [18:41 09/08/2010]
components{c31a794f-99d5-11df-a807-801d6519312b}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [23:25 27/07/2010]    [18:41 09/08/2010]
components{c31a794f-99d5-11df-a807-801d6519312b}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [23:25 27/07/2010]    [23:43 27/07/2010]
components{eb128346-e372-11e2-89fc-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [00:02 03/07/2013]    [00:20 03/07/2013]
components{eb128346-e372-11e2-89fc-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [00:02 03/07/2013]    [00:20 03/07/2013]
components{eb128346-e372-11e2-89fc-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [00:02 03/07/2013]    [00:20 03/07/2013]
components{eec5866d-b170-11df-ab85-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [00:24 27/08/2010]    [00:36 06/09/2010]
components{eec5866d-b170-11df-ab85-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [00:24 27/08/2010]    [00:36 06/09/2010]
components{eec5866d-b170-11df-ab85-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [00:24 27/08/2010]    [03:29 27/08/2010]
components{f35913ae-a3ea-11df-a4e0-e4903ad2812d}.TM.blf    --ahs-- 65536 bytes    [21:05 09/08/2010]    [17:26 25/08/2010]
components{f35913ae-a3ea-11df-a4e0-e4903ad2812d}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [21:05 09/08/2010]    [17:26 25/08/2010]
components{f35913ae-a3ea-11df-a4e0-e4903ad2812d}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [21:05 09/08/2010]    [21:05 09/08/2010]
components{f51d0a40-59d4-11e2-b9e2-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [20:55 08/01/2013]    [19:15 08/02/2013]
components{f51d0a40-59d4-11e2-b9e2-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [20:55 08/01/2013]    [19:15 08/02/2013]
components{f51d0a40-59d4-11e2-b9e2-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [20:55 08/01/2013]    [21:06 08/01/2013]
DEFAULT    --a---- 1310720 bytes    [02:34 14/07/2009]    [02:49 14/07/2013]
DEFAULT.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
DEFAULT.LOG1    --ah--- 119808 bytes    [02:34 14/07/2009]    [02:49 14/07/2013]
DEFAULT.LOG2    --ah--- 0 bytes    [02:34 14/07/2009]    [02:34 14/07/2009]
SAM    --a---- 262144 bytes    [02:34 14/07/2009]    [02:45 14/07/2013]
SAM.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
SAM.LOG1    --ah--- 41984 bytes    [02:34 14/07/2009]    [02:45 14/07/2013]
SAM.LOG2    --ah--- 0 bytes    [02:34 14/07/2009]    [02:34 14/07/2009]
SECURITY    --a---- 262144 bytes    [02:34 14/07/2009]    [02:18 14/07/2013]
SECURITY.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
SECURITY.LOG1    --ah--- 21504 bytes    [02:34 14/07/2009]    [02:18 14/07/2013]
SECURITY.LOG2    --ah--- 0 bytes    [02:34 14/07/2009]    [02:34 14/07/2009]
SOFTWARE    --a---- 89653248 bytes    [02:34 14/07/2009]    [03:14 14/07/2013]
SOFTWARE.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
SOFTWARE.LOG1    --ah--- 262144 bytes    [02:34 14/07/2009]    [03:14 14/07/2013]
SOFTWARE.LOG2    --ah--- 262144 bytes    [02:34 14/07/2009]    [14:59 04/07/2013]
SOFTWARE6d938235    --a---- 0 bytes    [18:30 05/07/2013]    [18:30 05/07/2013]
SOFTWARE9d9ec41    --a---- 87556096 bytes    [08:24 04/07/2013]    [08:24 04/07/2013]
SYSTEM    --a---- 20185088 bytes    [02:34 14/07/2009]    [03:14 14/07/2013]
SYSTEM.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:52 14/07/2009]
SYSTEM.LOG1    --ah--- 262144 bytes    [02:34 14/07/2009]    [03:14 14/07/2013]
SYSTEM.LOG2    --ah--- 0 bytes    [02:34 14/07/2009]    [02:34 14/07/2009]
userdiff    --a---- 262144 bytes    [02:27 26/07/2010]    [02:27 26/07/2010]
userdiff.LOG1    --ahs-- 5120 bytes    [02:27 26/07/2010]    [02:27 26/07/2010]
userdiff.LOG2    --ahs-- 0 bytes    [02:27 26/07/2010]    [02:27 26/07/2010]

C:\Windows\system32\config\Journal    d------    [03:20 14/07/2009]

C:\Windows\system32\config\RegBack    d------    [03:20 14/07/2009]
DEFAULT    --a---- 1290240 bytes    [23:29 25/07/2010]    [04:29 23/06/2013]
DEFAULT.LOG1    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]
DEFAULT.LOG2    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]
SAM    --a---- 98304 bytes    [23:29 25/07/2010]    [04:29 23/06/2013]
SAM.LOG1    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]
SAM.LOG2    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]
SECURITY    --a---- 32768 bytes    [23:29 25/07/2010]    [04:29 23/06/2013]
SECURITY.LOG1    --ahs-- 0 bytes    [17:30 29/07/2010]    [17:30 29/07/2010]
SECURITY.LOG2    --ahs-- 0 bytes    [17:30 29/07/2010]    [17:30 29/07/2010]
SOFTWARE    --a---- 94236672 bytes    [23:29 25/07/2010]    [04:29 23/06/2013]
SOFTWARE.LOG1    --ahs-- 0 bytes    [17:31 29/07/2010]    [17:31 29/07/2010]
SOFTWARE.LOG2    --ahs-- 0 bytes    [17:31 29/07/2010]    [17:31 29/07/2010]
SYSTEM    --a---- 20103168 bytes    [23:29 25/07/2010]    [04:29 23/06/2013]
SYSTEM.LOG1    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]
SYSTEM.LOG2    --ahs-- 0 bytes    [17:32 29/07/2010]    [17:32 29/07/2010]

C:\Windows\system32\config\systemprofile    d------    [03:20 14/07/2009]
ntuser.dat    --a---- 262144 bytes    [05:38 14/07/2009]    [08:48 11/10/2010]
ntuser.dat.LOG    --ah--- 1024 bytes    [07:12 14/07/2009]    [07:12 14/07/2009]
ntuser.dat.LOG1    --ahs-- 9216 bytes    [05:38 14/07/2009]    [02:04 06/07/2013]
ntuser.dat.LOG2    --ahs-- 0 bytes    [05:38 14/07/2009]    [05:38 14/07/2009]
ntuser.dat{72eb27a6-9844-11df-91f6-806e6f6e6963}.TM.blf    --ahs-- 65536 bytes    [23:29 25/07/2010]    [23:29 25/07/2010]
ntuser.dat{72eb27a6-9844-11df-91f6-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [23:29 25/07/2010]    [23:29 25/07/2010]
ntuser.dat{72eb27a6-9844-11df-91f6-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [23:29 25/07/2010]    [23:29 25/07/2010]

C:\Windows\system32\config\systemprofile\AppData    d---s--    [03:20 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Local    d------    [03:20 14/07/2009]
GDIPFONTCACHEV1.DAT    --a---- 132936 bytes    [19:29 09/08/2010]    [13:00 04/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft    d------    [04:49 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Portable Devices    d------    [00:09 26/07/2010]
wpdlog00.sqm    --a---- 284 bytes    [00:09 26/07/2010]    [03:03 03/07/2013]
wpdlog01.sqm    --a---- 284 bytes    [20:12 14/08/2010]    [03:05 03/07/2013]
wpdlog02.sqm    --a---- 284 bytes    [23:19 25/08/2010]    [03:06 03/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows    d------    [04:49 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches    d------    [04:49 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History    d--hs--    [04:54 14/07/2009]
desktop.ini    --ahs-- 145 bytes    [04:54 14/07/2009]    [04:54 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5    d--hs--    [04:54 14/07/2009]
desktop.ini    --ahs-- 145 bytes    [04:54 14/07/2009]    [04:54 14/07/2009]
index.dat    --ahs-- 16384 bytes    [04:54 14/07/2009]    [13:30 13/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files    d--hs--    [04:54 14/07/2009]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
index.dat    --ahs-- 32768 bytes    [19:11 05/07/2013]    [13:30 13/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZHHM11M    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
fwlink[2].htm    --a---- 214 bytes    [05:35 08/07/2013]    [05:35 08/07/2013]
IE10-Windows6.1-KB2718695-x64[1].cab    --a---- 42227676 bytes    [11:00 12/07/2013]    [11:04 12/07/2013]
SetupPolicy[1].cab    --a---- 27411 bytes    [05:35 08/07/2013]    [05:35 08/07/2013]
SetupPolicy[2].cab    --a---- 27411 bytes    [03:30 11/07/2013]    [03:30 11/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AXYBDY58    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
IE10-Windows6.1-KB2718695-x64[1].cab    --a---- 42227676 bytes    [11:45 11/07/2013]    [11:49 11/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJGOW2QF    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
fwlink[1].htm    --a---- 232 bytes    [01:05 13/07/2013]    [01:05 13/07/2013]
fwlink[2].htm    --a---- 214 bytes    [01:04 13/07/2013]    [01:04 13/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MN94MNFN    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
fwlink[1].htm    --a---- 232 bytes    [13:30 13/07/2013]    [13:30 13/07/2013]
IE10-Windows6.1-KB2718695-x64[1].cab    --a---- 8188738 bytes    [05:36 08/07/2013]    [05:37 08/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NSVX11ZZ    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O84LYAS5    d--hs--    [19:11 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:11 05/07/2013]    [19:11 05/07/2013]
SetupPolicy[1].cab    --a---- 27411 bytes    [11:44 11/07/2013]    [11:44 11/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SXZZNZT4    d--hs--    [19:13 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:13 05/07/2013]    [19:13 05/07/2013]
IE10-Windows6.1-KB2718695-x64[1].cab    --a---- 4216185 bytes    [19:13 05/07/2013]    [19:13 05/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YWX2QAFC    d--hs--    [19:13 05/07/2013]
desktop.ini    ---hs-- 67 bytes    [19:13 05/07/2013]    [19:13 05/07/2013]
fwlink[1].htm    --a---- 214 bytes    [13:29 13/07/2013]    [13:29 13/07/2013]

C:\Windows\system32\config\systemprofile\AppData\LocalLow    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft    d---s--    [04:55 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache    d---s--    [04:55 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content    d---s--    [04:57 14/07/2009]
696F3DE637E6DE85B458996D49D759AD    --a-s-- 813 bytes    [01:51 20/06/2012]    [02:26 03/06/2013]
7396C420A8E1BC1DA97F1AF0D10BAD21    --a-s-- 554 bytes    [00:59 14/05/2013]    [09:23 27/06/2013]
7B2238AACCEDC3F1FFE8E7EB5F575EC9    --a-s-- 506 bytes    [18:07 15/11/2012]    [18:07 15/11/2012]
94308059B57B3142E455B38A6EB92015    --a-s-- 50139 bytes    [04:57 14/07/2009]    [06:35 17/05/2013]

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData    d---s--    [04:55 14/07/2009]
696F3DE637E6DE85B458996D49D759AD    --a-s-- 282 bytes    [01:51 20/06/2012]    [10:41 12/07/2013]
7396C420A8E1BC1DA97F1AF0D10BAD21    --a-s-- 296 bytes    [00:59 14/05/2013]    [09:23 27/06/2013]
7B2238AACCEDC3F1FFE8E7EB5F575EC9    --a-s-- 258 bytes    [18:07 15/11/2012]    [18:07 15/11/2012]
94308059B57B3142E455B38A6EB92015    --a-s-- 342 bytes    [04:57 14/07/2009]    [11:13 12/07/2013]

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Silverlight    d------    [05:59 13/03/2013]

C:\Windows\system32\config\systemprofile\AppData\Roaming    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel    d------    [23:44 25/07/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Intel\Wireless    d------    [23:44 25/07/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\CLR Security Config    d------    [16:52 15/07/2012]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312    d------    [16:52 15/07/2012]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit    d------    [16:52 15/07/2012]
security.config.cch    --a---- 844 bytes    [15:13 04/07/2013]    [15:13 04/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\IdentityCRL    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\IdentityCRL\production    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\IdentityCRL\production\temp    d------    [21:26 17/10/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech    d------    [19:41 09/08/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files    d------    [19:41 09/08/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons    d------    [19:41 09/08/2010]
SP_48453A68942748159ADFF162EC018E25.dat    --a---- 940 bytes    [19:41 09/08/2010]    [19:41 09/08/2010]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs    d---s--    [04:48 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows    d------    [04:54 14/07/2009]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies    d--hs--    [04:54 14/07/2009]
index.dat    --ahs-- 16384 bytes    [23:32 25/07/2010]    [13:30 13/07/2013]

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache    d--hs--    [05:12 14/07/2009]
index.dat    --ahs-- 262144 bytes    [05:12 14/07/2009]    [04:43 22/03/2011]

C:\Windows\system32\config\TxR    d------    [03:20 14/07/2009]
{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [23:32 25/07/2010]    [01:04 27/07/2010]
{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [23:32 25/07/2010]    [23:43 25/07/2010]
{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [23:32 25/07/2010]    [23:43 25/07/2010]
{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf    --ahs-- 65536 bytes    [23:32 25/07/2010]    [01:04 27/07/2010]
{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf    --ahs-- 65536 bytes    [23:29 25/07/2010]    [01:04 27/07/2010]
{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [23:29 25/07/2010]    [01:04 27/07/2010]
{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [23:29 25/07/2010]    [23:43 25/07/2010]
{0439a7e5-d4b0-11df-bd62-89c94a5e5528}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [08:49 11/10/2010]    [11:28 14/10/2011]
{0439a7e5-d4b0-11df-bd62-89c94a5e5528}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [08:49 11/10/2010]    [05:21 18/12/2011]
{0439a7e5-d4b0-11df-bd62-89c94a5e5528}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [08:49 11/10/2010]    [07:15 23/04/2011]
{0439a7e5-d4b0-11df-bd62-89c94a5e5528}.TxR.3.regtrans-ms    --ahs-- 5242880 bytes    [07:14 23/04/2011]    [07:30 23/04/2011]
{0439a7e5-d4b0-11df-bd62-89c94a5e5528}.TxR.blf    --ahs-- 65536 bytes    [08:49 11/10/2010]    [05:21 18/12/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TM.blf    --ahs-- 65536 bytes    [08:49 11/10/2010]    [05:21 18/12/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [08:49 11/10/2010]    [07:51 19/06/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [08:49 11/10/2010]    [11:50 12/05/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000003.regtrans-ms    --ahs-- 524288 bytes    [02:23 26/05/2011]    [07:51 19/06/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000004.regtrans-ms    --ahs-- 524288 bytes    [02:23 26/05/2011]    [07:42 10/08/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000005.regtrans-ms    --ahs-- 524288 bytes    [16:06 06/08/2011]    [16:16 05/10/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000006.regtrans-ms    --ahs-- 524288 bytes    [09:35 05/10/2011]    [04:21 18/12/2011]
{0439a7e6-d4b0-11df-bd62-89c94a5e5528}.TMContainer00000000000000000007.regtrans-ms    --ahs-- 524288 bytes    [13:35 17/12/2011]    [05:21 18/12/2011]
{24947e19-e2c8-11e2-b860-ef2376aaba53}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [00:02 03/07/2013]    [02:39 03/07/2013]
{24947e19-e2c8-11e2-b860-ef2376aaba53}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [00:02 03/07/2013]    [00:20 03/07/2013]
{24947e19-e2c8-11e2-b860-ef2376aaba53}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [00:02 03/07/2013]    [00:20 03/07/2013]
{24947e19-e2c8-11e2-b860-ef2376aaba53}.TxR.blf    --ahs-- 65536 bytes    [00:02 03/07/2013]    [02:39 03/07/2013]
{24947e1a-e2c8-11e2-b860-ef2376aaba53}.TM.blf    --ahs-- 65536 bytes    [03:50 02/07/2013]    [02:39 03/07/2013]
{24947e1a-e2c8-11e2-b860-ef2376aaba53}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [03:50 02/07/2013]    [02:39 03/07/2013]
{24947e1a-e2c8-11e2-b860-ef2376aaba53}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [03:50 02/07/2013]    [03:51 02/07/2013]
{6618ed85-2cf6-11e1-afb8-001e33d715c4}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [00:31 23/12/2011]    [23:03 07/04/2013]
{6618ed85-2cf6-11e1-afb8-001e33d715c4}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [00:31 23/12/2011]    [03:49 02/07/2013]
{6618ed85-2cf6-11e1-afb8-001e33d715c4}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [00:31 23/12/2011]    [23:19 24/02/2013]
{6618ed85-2cf6-11e1-afb8-001e33d715c4}.TxR.3.regtrans-ms    --ahs-- 5242880 bytes    [21:22 23/02/2013]    [23:19 24/02/2013]
{6618ed85-2cf6-11e1-afb8-001e33d715c4}.TxR.blf    --ahs-- 65536 bytes    [00:31 23/12/2011]    [03:49 02/07/2013]
{6618ed86-2cf6-11e1-afb8-001e33d715c4}.TM.blf    --ahs-- 65536 bytes    [00:26 23/12/2011]    [03:49 02/07/2013]
{6618ed86-2cf6-11e1-afb8-001e33d715c4}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [00:26 23/12/2011]    [03:49 02/07/2013]
{6618ed86-2cf6-11e1-afb8-001e33d715c4}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [00:26 23/12/2011]    [05:47 19/06/2013]
{935e56e7-990a-11df-bd49-ffef08c2c730}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [01:09 27/07/2010]    [08:48 11/10/2010]
{935e56e7-990a-11df-bd49-ffef08c2c730}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [01:09 27/07/2010]    [02:06 27/07/2010]
{935e56e7-990a-11df-bd49-ffef08c2c730}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [01:09 27/07/2010]    [02:06 27/07/2010]
{935e56e7-990a-11df-bd49-ffef08c2c730}.TxR.blf    --ahs-- 65536 bytes    [01:09 27/07/2010]    [08:48 11/10/2010]
{935e56e8-990a-11df-bd49-ffef08c2c730}.TM.blf    --ahs-- 65536 bytes    [01:05 27/07/2010]    [08:48 11/10/2010]
{935e56e8-990a-11df-bd49-ffef08c2c730}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [01:05 27/07/2010]    [08:48 11/10/2010]
{935e56e8-990a-11df-bd49-ffef08c2c730}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [01:05 27/07/2010]    [21:49 08/10/2010]
{c9d6a892-292f-11e1-a624-001e65489c9a}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [05:26 18/12/2011]    [00:25 23/12/2011]
{c9d6a892-292f-11e1-a624-001e65489c9a}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [05:26 18/12/2011]    [07:57 22/12/2011]
{c9d6a892-292f-11e1-a624-001e65489c9a}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [05:26 18/12/2011]    [07:57 22/12/2011]
{c9d6a892-292f-11e1-a624-001e65489c9a}.TxR.blf    --ahs-- 65536 bytes    [05:26 18/12/2011]    [00:25 23/12/2011]
{c9d6a893-292f-11e1-a624-001e65489c9a}.TM.blf    --ahs-- 65536 bytes    [05:22 18/12/2011]    [00:25 23/12/2011]
{c9d6a893-292f-11e1-a624-001e65489c9a}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [05:22 18/12/2011]    [00:25 23/12/2011]
{c9d6a893-292f-11e1-a624-001e65489c9a}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [05:22 18/12/2011]    [07:57 22/12/2011]
{e06815b4-e381-11e2-8650-a587c1aeb252}.TxR.0.regtrans-ms    --ahs-- 5242880 bytes    [02:51 03/07/2013]    [13:45 13/07/2013]
{e06815b4-e381-11e2-8650-a587c1aeb252}.TxR.1.regtrans-ms    --ahs-- 5242880 bytes    [02:51 03/07/2013]    [02:51 03/07/2013]
{e06815b4-e381-11e2-8650-a587c1aeb252}.TxR.2.regtrans-ms    --ahs-- 5242880 bytes    [02:51 03/07/2013]    [02:51 03/07/2013]
{e06815b4-e381-11e2-8650-a587c1aeb252}.TxR.blf    --ahs-- 65536 bytes    [02:51 03/07/2013]    [13:45 13/07/2013]
{e06815b5-e381-11e2-8650-a587c1aeb252}.TM.blf    --ahs-- 65536 bytes    [02:41 03/07/2013]    [13:45 13/07/2013]
{e06815b5-e381-11e2-8650-a587c1aeb252}.TMContainer00000000000000000001.regtrans-ms    --ahs-- 524288 bytes    [02:41 03/07/2013]    [13:45 13/07/2013]
{e06815b5-e381-11e2-8650-a587c1aeb252}.TMContainer00000000000000000002.regtrans-ms    --ahs-- 524288 bytes    [02:41 03/07/2013]    [02:41 03/07/2013]

-= EOF =-

 



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 14 July 2013 - 09:03 AM

Hi Merlin,

Thank you for the information. Please do this and tell me if there are any changes in your symptoms.

===================================================

Creating a New User Profile With Administrative Privileges

--------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Copy and paste the following in the run box then press Enter

control /name Microsoft.UserAccounts

  • Click Manage another account
  • Click Create a new account
  • Type Test in the new account name box then click Next
  • Select Administrator then click Create Account
  • Close the User Accounts window
  • Reboot your computer and log in as Test
  • Check your computer performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Any difference?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 14 July 2013 - 02:18 PM

Hey Gary,

 

I did as requested, but no performance change. In the new user profile "Test", a process with the Image Name "System", the User Name "SYSTEM", takes up 99% of CPU, has a 60K Memory, and a description of "NT Kernel & System". 

 

Also the "duh dong" sounds are still going on and off. I also logged in to another user account that I already had on my computer and had the same symptoms. 

 

I don't know if it helps, but I run portable Ubuntu from a USB drive on my computer and it works perfectly. 

 

Again, I'm grateful for your continued help.

 

Greetings,

 

~Merlin



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 14 July 2013 - 03:07 PM

Hi Merlin,

And thank you for hanging in there. Excellent regarding Ubuntu. We are going to utilize that program now.

Please do this.

===================================================

Ubuntu MRB and Driver Report Using a USB

--------------
  • Download udriver.sh to your USB device containing Ubuntu
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Select Run from USB device
  • Please allow the program to automatically load to the Ubuntu desktop
  • Select English, then click Try Ubuntu
  • Click on the Dash Home icon located just underneath the Ubuntu Desktop title bar at the top
  • Type terminal in the search box then press Enter
  • A command prompt window will open
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • A mbr.txt file will be created in your Home folder
  • Type Exit then press Enter
  • Click on the Home Folder which is most likely the third icon down on the left
  • Under Devices please click the USB device (if that is not present remove the USB device and plug it back in)
  • Locate the udriver.sh icon listed in the USB contents window, right click, select Move to, then click Home
  • Close any open windows
  • Click the Dash Home icon (1st icon on left)
  • Select the Terminal icon
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh

  • Wait until report.txt pops up or the command line indicates the search is finished. This can take a while, so please be patient!
  • The report.txt file will be located in the Home folder (same folder as mbr.txt)
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh -af

  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the last search is complete please type Exit and press Enter
  • Click the Home Folder
  • Right click on filefind.txt, and select Send to...
  • Click the drop down list next to Send as:, select Removable disks and shares, click the USB device (may be there by default), then click Send
  • Repeat these steps for report.txt
  • Remove the USB device from your computer
  • In the upper right hand corner of your screen select the icon just to the right of the time
  • Click Shut down..., then Restart
  • Your computer should reboot into Windows
  • Insert the USB device back into your computer
  • Zip the report.txt file and attach it to your reply. Attach but do not zip the mbr.txt and filefind.txt files.
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • report.zip
  • mbr.txt
  • filefind.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 hatestrojans

hatestrojans
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 14 July 2013 - 04:39 PM

Hi Gary,

 

Everything executed smoothly. Attached are the logs. Hope we can get it figured out  :oneeye:

 

~Merlin

 

 

Attached Files



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 14 July 2013 - 05:04 PM

Not much there. I would like to check one file. Please do this.

===================================================

Virustotal Online Virus Scanner

--------------------
  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Windows\System32\drivers\taishop.sys

  • Once completed, highlight the information in the address bar and copy then paste the link in your reply
virustotal.jpg

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Virustotal link

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users