Google Redirect - Persists after following general instructions [Solve

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Google Redirect - Persists after following general instructions [Solve Google Redirect persists after following steps in the general thread

#1 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 06 April 2010 - 09:02 AM

I have a problem with a Google Redirect bug (virus, trojan, malware, ???). I have scanned the computer multiple times with the attached list of programs and none of them are indicating that there is a problem. Every now and then NOD32 will pick up the kryptik.DLI trojan but it doesn't seem to be doing anything helpful. When I have tried internet explorer with "-extoff" the problem is still evident. I also ran the recommended applications from the Google Redirect thread to no avail and then followed the directions on the Malware and Spyware cleaning thread to no avail. I have attached the recommended logs with the exception of the GMER Rootkit log. That program crashed everytime I tried to run it and blue screened the computer 3 times. I made sure that NOD32 (my default virus software) was off during these scans.

Any help that you could offer with this problem would be greatly appreciated

Logs:
Attached

Virus Scans Tried:
Malwarebytes Anti-Malware
NOD32
Spybot Search & Destroy
Hitman
Microsoft Malicious Software Removal Tool
Microsoft Security Essentials
Microsoft Onecare Live

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 06 April 2010 - 09:07 AM

do you have the tdsskiller log ? It should be in C:\

#3 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 06 April 2010 - 09:53 AM

Here is the TDS Killer Log.

Thanks for the quick reply!

Attached File(s)

TDSSKiller.2.2.8.1_06.04.2010_08.26.46_log.txt (16.68K)
Number of downloads: 111

#4 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 06 April 2010 - 02:59 PM

no problem, don't attach the logs its tougher on me

why did you run combofix yourself ?

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
[2010/04/02 18:34:52 | 000,012,244 | -HS- | M] () -- C:\ProgramData\8Cq4r

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#5 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 06 April 2010 - 05:37 PM

I ran combofix before as a stupid and vain attept to fix the problem before I ran accross this forum. So, not the best idea.

Anyway, here is the log from combofix:

ComboFix 10-04-05.06 - Name 04/06/2010 17:15:16.6.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.1667 [GMT -6:00]
Running from: c:\users\Name\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Name\AppData\Local\ave.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 23:29 . 2010-04-06 23:30 -------- d-----w- c:\users\Name\AppData\Local\temp
2010-04-06 23:29 . 2010-04-06 23:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-06 23:29 . 2010-04-06 23:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-06 23:29 . 2010-04-06 23:29 -------- d-----w- c:\users\namep\AppData\Local\temp
2010-04-06 23:29 . 2010-04-06 23:29 -------- d-----w- c:\users\BPeterson\AppData\Local\temp
2010-04-06 23:29 . 2010-04-06 23:29 -------- d-----w- c:\users\BPeterson.FLEXSIM\AppData\Local\temp
2010-04-06 22:08 . 2010-04-06 22:08 -------- d-----w- C:\_OTL
2010-04-06 20:37 . 2010-04-06 22:02 -------- d-----w- C:\AdobeTemp
2010-04-06 14:51 . 2010-04-06 15:41 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-06 14:35 . 2010-04-06 14:35 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-05 22:50 . 2010-04-05 22:51 -------- d-----w- c:\program files\ERUNT
2010-04-05 15:58 . 2010-04-05 15:58 -------- d-----w- c:\users\Name\AppData\Local\Threat Expert
2010-04-05 15:52 . 2010-04-05 17:15 -------- d-----w- c:\program files\Spyware Doctor
2010-04-05 01:31 . 2010-04-05 01:31 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-03 05:16 . 2010-04-03 05:20 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-03 05:16 . 2010-04-03 05:20 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-03 05:16 . 2010-04-03 05:16 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-04-03 05:16 . 2010-04-03 05:16 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-03 00:32 . 2010-04-03 00:32 -------- d-----w- c:\programdata\avG
2010-04-02 22:19 . 2010-04-02 22:19 -------- d-----w- c:\program files\TrendMicro
2010-04-02 20:26 . 2010-04-02 20:26 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-02 20:04 . 2010-04-04 18:05 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-02 20:04 . 2010-04-02 20:26 -------- d-----w- c:\programdata\Hitman Pro
2010-04-02 20:04 . 2010-04-02 20:04 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-02 15:55 . 2010-04-02 17:24 -------- d-sh--w- c:\users\Name\.COMMgr
2010-03-29 23:28 . 2010-03-29 23:28 3003904 ----a-w- c:\users\Name\AppData\Roaming\Flexsim\Flexsim5\flexsimcontentB.dll
2010-03-24 16:55 . 2010-03-24 16:55 -------- d-----w- c:\windows\system32\Adobe
2010-03-22 15:43 . 2010-03-29 21:25 3003904 ----a-w- c:\users\Name\AppData\Roaming\Flexsim\Flexsim5\flexsimcontentA.dll
2010-03-19 16:13 . 2010-03-19 16:14 -------- d-----w- c:\users\Name\AppData\Roaming\MioNetApplet
2010-03-17 22:24 . 2008-12-15 23:18 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-03-17 22:17 . 2008-12-12 16:10 199160 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2010-03-10 21:46 . 2007-11-23 08:24 6135603 ----a-w- c:\windows\system32\lapack_win32.dll
2010-03-10 21:46 . 2007-11-22 22:32 622281 ----a-w- c:\windows\system32\blas_win32.dll
2010-03-10 14:27 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-10 14:27 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-10 14:27 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-09 17:48 . 2010-03-10 19:51 -------- d-----w- c:\program files\CMake 2.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 00:19 . 2009-06-01 15:37 292840 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2010-04-06 23:07 . 2008-08-27 15:46 220113 ----a-w- c:\programdata\nvModes.dat
2010-04-06 22:57 . 2008-09-24 20:16 158696 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-04-06 22:07 . 2007-08-08 14:32 -------- d-----w- c:\users\Name\AppData\Roaming\Skype
2010-04-06 22:04 . 2007-05-31 03:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-06 22:02 . 2009-04-29 19:53 -------- d-----w- c:\users\Name\AppData\Roaming\skypePM
2010-04-06 20:36 . 2009-01-11 19:37 -------- d-----w- c:\program files\CCleaner
2010-04-06 14:28 . 2007-02-12 21:36 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-06 13:55 . 2010-01-14 17:41 -------- d-----w- c:\program files\LogMeIn
2010-04-05 22:29 . 2007-07-25 15:47 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-05 22:25 . 2008-11-08 03:12 -------- d-----w- c:\users\Name\AppData\Roaming\Move Networks
2010-04-05 16:37 . 2008-10-15 14:34 -------- d-----w- c:\program files\BitTorrent
2010-04-05 16:37 . 2007-07-14 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-03 07:56 . 2007-07-25 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-03 07:50 . 2008-11-06 19:44 -------- d-----w- c:\program files\Eset
2010-04-03 05:40 . 2010-02-11 17:26 -------- d-----w- c:\program files\Mastercam X3 MU1 for SolidWorks
2010-04-03 05:36 . 2007-05-31 02:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-03 05:33 . 2008-02-29 15:59 -------- d-----w- c:\programdata\Palo Alto Software
2010-04-02 23:39 . 2009-04-20 17:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 23:37 . 2010-03-02 17:20 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 06:46 . 2010-03-02 17:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 06:45 . 2010-03-02 17:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 17:47 . 2009-02-19 15:14 -------- d-----w- c:\users\Name\AppData\Roaming\IM
2010-03-24 17:46 . 2009-02-19 16:27 -------- d-----w- c:\users\Name\AppData\Roaming\SolidWorks
2010-03-10 15:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-27 07:19 . 2010-02-24 17:11 -------- d-----w- c:\users\Name\AppData\Roaming\Vso
2010-02-27 07:19 . 2010-02-24 17:11 47360 ----a-w- c:\users\Name\AppData\Roaming\pcouffin.sys
2010-02-27 07:19 . 2010-02-24 17:11 47360 ----a-w- c:\users\Name\AppData\Roaming\pcouffin.sys
2010-02-27 07:19 . 2010-02-27 07:19 -------- d-----w- c:\program files\DVDFab 6
2010-02-27 07:01 . 2010-02-25 05:00 -------- d-----w- c:\users\Name\AppData\Roaming\DVDFab
2010-02-26 06:26 . 2010-02-26 06:26 -------- d-----w- c:\program files\HOTLLAMA Media
2010-02-24 17:11 . 2010-02-24 17:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-24 16:16 . 2009-10-03 17:47 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-01 01:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-01 01:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-01 01:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-01 01:42 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-19 21:22 . 2007-11-28 16:52 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-17 20:43 . 2010-02-17 20:43 -------- d-----w- c:\users\Name\AppData\Roaming\com.adobe.ExMan
2010-02-16 16:42 . 2009-04-21 18:35 -------- d-----w- c:\program files\SolidWorks
2010-02-12 21:32 . 2010-02-12 21:32 -------- d-----w- c:\users\Name\AppData\Roaming\editNC
2010-02-11 23:09 . 2010-02-11 23:03 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-02-11 23:03 . 2010-02-11 23:03 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-02-11 23:03 . 2010-02-11 23:03 383 ----a-w- c:\windows\system32\haspdos.sys
2010-02-11 22:01 . 2010-02-11 22:01 191488 ----a-w- c:\windows\system32\hlvdd.dll
2010-02-11 21:40 . 2010-02-11 21:40 -------- d-----w- c:\program files\Common Files\Aladdin Shared
2010-02-11 19:59 . 2010-02-11 19:59 -------- d-----w- c:\program files\Adobe Media Player
2010-02-11 19:56 . 2010-02-11 19:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-11 19:34 . 2010-02-11 00:14 -------- d-----w- c:\users\Name\AppData\Roaming\DAEMON Tools Lite
2010-02-11 19:33 . 2010-02-11 00:15 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-02-11 17:29 . 2010-02-11 17:29 -------- d-----w- c:\programdata\InstallShield
2010-02-11 17:27 . 2007-05-31 02:09 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-11 02:03 . 2010-02-11 02:03 -------- d-----w- c:\program files\Surfware, Incorporated
2010-02-11 02:00 . 2010-02-11 02:00 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2010-02-11 01:58 . 2009-02-19 16:00 -------- d-----w- c:\program files\Common Files\SolidWorks Shared
2010-02-11 01:46 . 2010-02-11 01:46 -------- d-----w- c:\program files\Document Manager
2010-02-11 00:15 . 2008-10-24 20:05 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-02-11 00:15 . 2008-10-24 19:59 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-11 00:14 . 2010-02-11 00:14 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-02-10 21:12 . 2009-06-25 15:51 -------- d-----w- c:\users\Name\AppData\Roaming\Flexsim
2010-02-10 20:27 . 2009-11-18 16:16 -------- d-----w- c:\program files\Flexsim 5
2010-02-09 14:55 . 2010-02-09 14:55 24 ----a-w- c:\users\Name\AppData\Roaming\sgcpom.dat
2010-01-25 18:58 . 2009-05-14 21:29 462848 ----a-w- c:\windows\system32\ractrlkeyhook.dll
2010-01-25 12:00 . 2010-02-24 17:43 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 17:43 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 17:43 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 17:43 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 17:43 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 17:43 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 17:43 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 17:43 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:21 . 2010-02-24 17:43 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-23 09:26 . 2010-02-24 17:45 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-30 15:56 . 2009-04-21 19:26 211481 ----a-w- c:\program files\SolidWorksswxJRNL.BAK
2008-09-11 20:06 . 2008-09-11 20:06 413154 ----a-w- c:\program files\Test_1_Output_1.bmp
2008-09-11 20:06 . 2008-09-11 20:06 1797 ----a-w- c:\program files\Test.htm
2007-08-20 19:55 . 2010-02-11 01:58 3200960 ------w- c:\program files\Common Files\vcredist_x64.exe
2007-08-20 19:55 . 2010-02-11 01:58 2723264 ------w- c:\program files\Common Files\vcredist_x86.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 23:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-14 33048]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 4472832]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"XBDocker"="c:\progra~1\360UNI~1\XBDocker.exe" [2006-04-07 172304]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-04-05 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-03-09 252704]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 204800]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-11-06 949376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13548064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 92704]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1400287276-2332164158-1255459891-1170\Scripts\Logon\0\0]
"Script"=maps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1400287276-2332164158-1255459891-1170\Scripts\Logon\0\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1400287276-2332164158-1255459891-1170\Scripts\Logon\0\2]
"Script"=ST\synctoyinstall.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2841712643-3602444270-545279689-1126\Scripts\Logon\0\0]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2841712643-3602444270-545279689-1172\Scripts\Logon\0\0]
"Script"=maps.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2841712643-3602444270-545279689-1172\Scripts\Logon\0\1]
"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2841712643-3602444270-545279689-1172\Scripts\Logon\0\2]
"Script"=admin.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoCAD LT Startup Accelerator.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD LT Startup Accelerator.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
\HWSetup.exe hwSetUP [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2007-08-04 06:32 714080 ----a-w- c:\program files\Toshiba\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 20:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeNotify]
2006-11-07 00:14 34352 ----a-w- c:\program files\Toshiba\Utilities\KeNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
2007-09-12 01:43 95536 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 17:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2007-06-16 04:01 448080 ----a-w- c:\program files\Toshiba\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-29 21:13 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 15:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):0a,24,b7,f9,e3,e2,c9,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-11 691696]
R2 SentinelFilter;SentinelFilter;c:\users\Name\Downloads\Surfcam\Surfcam Velocity 4 SP1 255\Surfcam Velocity 4 SP1 255\Crack (LEGEND)\SENTINELFILTER.SYS [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [x]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks\swScheduler\DTSCoordinatorService.exe [2008-09-09 79144]
R3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2008-07-01 18912]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-18 17920]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
R3 PDAQ3K;DaqX USB2 Driver;c:\windows\system32\DRIVERS\pdaq3k.sys [2007-08-03 615296]
R3 PDAQ3KLD;DaqX USB2 Loader Driver;c:\windows\system32\DRIVERS\pdaq3kld.sys [2007-08-03 62464]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
R3 USBAVCap;TOSHIBA ATSC TV Tuner;c:\windows\system32\drivers\USBAVCap.sys [2007-05-10 828288]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S0 CplIR;Embedded IR Driver;c:\windows\system32\DRIVERS\CplIR.SYS [2007-03-06 14848]
S0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-03-11 210432]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-11-06 15424]
S2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-08-11 12856]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS [2003-12-19 27135]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 23:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 22:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 16:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\User_Feed_Synchronization-{BA1573A7-7023-46A7-94EA-394A360AE662}.job
- c:\windows\system32\msfeedssync.exe [2010-04-01 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.flexsim.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
Trusted Zone: live.com\onecare
FF - ProfilePath - c:\users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\fx9sh92d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.flexsim.com/|https://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstloader.dll
FF - plugin: c:\program files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.txt=
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-06 17:30
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2010-04-06 17:33:57
ComboFix-quarantined-files.txt 2010-04-06 23:33
ComboFix2.txt 2010-04-05 22:05

Pre-Run: 38,617,333,760 bytes free
Post-Run: 43,795,419,136 bytes free

- - End Of File - - A5FEFFEDD5DD50FA2CBFDE688B00BC18

#6 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 06 April 2010 - 05:39 PM

hi

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#7 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 07 April 2010 - 08:27 AM

So, the first time I didn't get that the scan was what it was doing when it first opened and I clicked on the scan button. This started a very long process that ended with a blue screen with the following summarized message: PAGE_FAULT_IN_NONPAGED_AREA uwtyqpog.sys - Address BE868CF8 base at BE85D000 Date Stamp 4b274f8d

I don't know if that helps, gives you a chuckle, or causes frustration (hopefully not the later). Anyway, here is the log from GMER directly after if finishes loading:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-04-07 08:21:27
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Name\AppData\Local\Temp\uwtyqpog.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86C371F8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\fastfat \Fat 9CC861F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Thanks again for all the help.

#8 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 07 April 2010 - 08:30 AM

hi

Download BlueScreenView (in Zip file) near the end of the page

Save it to your desktop and extract it to its own folder
Double click on BlueScreenView.exe file to run the program.
When scanning is done, click Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

#9 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 07 April 2010 - 08:39 AM

There were two parts to the screen. I followed your instructions and it copied the top part that held all of the BSOD crashes that have occured lately. Here is the text from the file:

==================================================
Dump File : Mini040710-01.dmp
Crash Time : 4/7/2010 8:04:26 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xdd82a018
Parameter 2 : 0x00000000
Parameter 3 : 0xbe868cf8
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70b9e
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18160 (vistasp2_gdr.091208-0542)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\minidump\Mini040710-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
==================================================

==================================================
Dump File : Mini040610-02.dmp
Crash Time : 4/6/2010 8:09:56 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xc5c4e808
Parameter 2 : 0x00000000
Parameter 3 : 0xb5239d3d
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70b9e
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18160 (vistasp2_gdr.091208-0542)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\minidump\Mini040610-02.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
==================================================

==================================================
Dump File : Mini040610-01.dmp
Crash Time : 4/6/2010 7:54:29 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xa098900b
Parameter 2 : 0x00000000
Parameter 3 : 0xb01d7f60
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70b9e
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18160 (vistasp2_gdr.091208-0542)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\minidump\Mini040610-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
==================================================

==================================================
Dump File : Mini040510-01.dmp
Crash Time : 4/5/2010 4:57:30 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x82c84d53
Parameter 3 : 0xbc978a54
Parameter 4 : 0x00000000
Caused By Driver : amon.sys
Caused By Address : amon.sys+2d54
File Description : Amon monitor
Product Name : NOD32 Antivirus System
Company : Eset
File Version : 2, 70, 39
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\minidump\Mini040510-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
==================================================

==================================================
Dump File : Mini040410-01.dmp
Crash Time : 4/4/2010 9:51:01 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 0x00000000
Parameter 2 : 0x0000001b
Parameter 3 : 0x00000000
Parameter 4 : 0x82c75a8c
Caused By Driver : srv.sys
Caused By Address : srv.sys+4d023
File Description : Server driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6000.16386 (vista_rtm.061101-2205)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\minidump\Mini040410-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
==================================================

#10 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 07 April 2010 - 08:42 AM

hi

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#11 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 08 April 2010 - 01:01 PM

Here is the MBAM report:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3965

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/7/2010 9:26:15 AM
mbam-log-2010-04-07 (09-26-15).txt

Scan type: Quick scan
Objects scanned: 136307
Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Name\AppData\Local\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 08 April 2010 - 01:03 PM

Here is the online scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 8, 2010
Operating system: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 07, 2010 14:57:43
Records in database: 3917951
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 834596
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 10:49:42

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Users\Name\AppData\Local\ave.exe.vir Infected: Packed.Win32.Katusha.j 1
C:\Users\Name\AppData\Local\HorizonWimba\JSecureDoor\appshare_0.1.2\data\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Users\Name\AppData\LocalLow\HorizonWimba\JSecureDoor\archives\appshare_0_1_2.win.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Users\namep\AppData\Local\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.Magistr.a 1

Selected area has been scanned.

Thanks again for the help with this. It took me a while to get this done because the online scan took a long time and I had work that kept me away from the computer today.

Thanks again,

#13 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 08 April 2010 - 01:11 PM

[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#14 h82run

Group: Member
Posts: 9
Joined: 05-April 10

Posted 08 April 2010 - 01:47 PM

Here is the OTL scan:

OTL logfile created on: 4/8/2010 1:45:32 PM - Run 2
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Users\Name\Downloads\Anti Spy Ware
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 50.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 36.37 Gb Free Space | 24.65% Space Free | Partition Type: NTFS
Drive D: | 149.05 Gb Total Space | 118.33 Gb Free Space | 79.39% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPUTER
Current User Name: Name
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/05 16:42:52 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Name\Downloads\Anti Spy Ware\OTL.exe
PRC - [2009/12/16 17:44:36 | 003,750,400 | ---- | M] (SafeNet Inc.) -- C:\Windows\System32\hasplms.exe
PRC - [2009/10/30 05:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/09/28 20:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2009/09/28 20:34:16 | 000,378,176 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
PRC - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 16:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/03/20 07:36:58 | 000,210,216 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2009/02/11 17:00:41 | 000,079,360 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
PRC - [2008/11/25 00:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/11 13:08:51 | 002,356,088 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
PRC - [2008/11/06 13:44:47 | 000,949,376 | ---- | M] (Eset ) -- C:\Program Files\Eset\nod32kui.exe
PRC - [2008/11/06 13:44:47 | 000,552,064 | ---- | M] (Eset ) -- C:\Program Files\Eset\nod32krn.exe
PRC - [2008/10/02 10:23:16 | 000,546,288 | ---- | M] (Google) -- C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
PRC - [2008/08/11 13:41:00 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/06/21 09:00:44 | 000,574,976 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2008/01/19 01:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/05/28 02:29:00 | 004,472,832 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/05/26 09:55:34 | 000,077,824 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA HD DVD PLAYER\TNaviSrv.exe
PRC - [2007/05/17 17:03:24 | 004,813,312 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PRC - [2007/04/10 17:40:28 | 000,413,696 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2007/04/05 10:46:24 | 000,488,984 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
PRC - [2007/03/29 11:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/03/29 11:39:18 | 000,411,192 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2007/03/09 13:59:36 | 000,252,704 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
PRC - [2007/03/06 17:55:42 | 000,643,072 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/03/06 17:37:04 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/02/25 22:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/02/12 15:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/02/12 15:37:58 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/01/25 18:50:26 | 000,063,096 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2007/01/25 18:47:50 | 000,136,816 | ---- | M] () -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/12/03 17:51:38 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2006/12/03 17:34:56 | 000,054,288 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2006/11/14 23:02:36 | 001,372,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2006/11/14 22:19:42 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2006/11/14 21:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/10/05 13:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 17:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 19:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2006/04/06 21:25:24 | 000,172,304 | ---- | M] (XBrand) -- C:\Program Files\360 Universal Docking Stand\XBDocker.exe

========== Modules (SafeList) ==========

MOD - [2010/04/05 16:42:52 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Users\Name\Downloads\Anti Spy Ware\OTL.exe
MOD - [2009/04/11 00:28:21 | 002,241,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msi.dll
MOD - [2009/04/11 00:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/19 01:36:24 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sfc_os.dll
MOD - [2006/11/02 03:46:13 | 000,004,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sfc.dll
MOD - [2006/11/02 03:46:07 | 000,015,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msiltcfg.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (Adobe Version Cue CS4)
SRV - [2009/12/16 17:44:36 | 003,750,400 | ---- | M] (SafeNet Inc.) [Auto | Running] -- C:\Windows\System32\hasplms.exe -- (hasplms)
SRV - [2009/11/18 10:18:00 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/28 20:34:22 | 000,116,032 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2009/09/24 19:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe -- (MSSQL$ACT7) SQL Server (ACT7)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/02/19 10:08:08 | 000,079,360 | ---- | M] (SolidWorks) [On_Demand | Stopped] -- C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -- (SolidWorks Licensing Service)
SRV - [2009/02/11 17:00:41 | 000,079,360 | ---- | M] (Autodesk) [Auto | Running] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/11/25 00:31:07 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/25 00:31:07 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/24 23:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/06 13:44:47 | 000,552,064 | ---- | M] (Eset ) [Auto | Running] -- C:\Program Files\Eset\nod32krn.exe -- (NOD32krn)
SRV - [2008/09/09 06:01:32 | 000,079,144 | ---- | M] (Dassault Systèmes SolidWorks Corp.) [On_Demand | Stopped] -- C:\Program Files\SolidWorks\swScheduler\DTSCoordinatorService.exe -- (CoordinatorServiceHost)
SRV - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/01/19 01:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 16:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 16:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/05/26 09:55:34 | 000,077,824 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA HD DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2007/03/29 11:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/03/09 14:03:02 | 000,105,248 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/03/06 17:55:42 | 000,643,072 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/03/06 17:37:04 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/02/25 22:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/02/12 15:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/01/25 18:50:26 | 000,063,096 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 18:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/11/14 21:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 13:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 17:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 19:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.flexsim.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.flexsim.com/|https://mail.google.com/mail/?shva=1#inbox"
FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:1.1.1
FF - prefs.js..extensions.enabledItems: tunebite-firefox-surf-and-catch-extension@audials.com:1.4.7400.0
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Firefox\Extensions\\tunebite-firefox-surf-and-catch-extension@audials.com: C:\Program Files\RapidSolution\Tunebite\plugins\GeckoBased\tunebite-firefox-surf-and-catch-extension@audials.com\ [2009/08/05 09:36:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/26 12:43:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/06 15:36:31 | 000,000,000 | ---D | M]

[2009/10/07 08:50:37 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Mozilla\Extensions
[2010/04/05 16:36:26 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\fx9sh92d.default\extensions
[2009/10/07 08:51:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\fx9sh92d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/05 16:36:23 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\fx9sh92d.default\extensions\bettergmail2@ginatrapani.org
[2009/10/07 08:50:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2005/09/14 09:33:00 | 000,049,152 | ---- | M] (Lotus Development Corp.) -- C:\Program Files\Mozilla Firefox\plugins\npstloader.dll

O1 HOSTS File: ([2010/04/06 16:59:44 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Tunebite_WebRipPlugin Class) - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll (RapidSolution Software)
O3 - HKLM\..\Toolbar: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Autodesk DWF) - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll (Autodesk, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe (Intel Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe (Logitech Inc.)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe (Eset )
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [XBDocker] C:\Program Files\360 Universal Docking Stand\XBDocker.exe (XBrand)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Windows\System32\imon.dll (Eset )
O15 - HKCU\..Trusted Domains: live.com ([onecare] https in Trusted sites)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} http://cdn.scan.onecare.live.com/resource/...s/wlscctrl2.cab (Windows Live OneCare safety scanner control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = FLEXSIM.local
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img20.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img20.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/10 19:57:21 | 000,000,272 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/07 09:19:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/07 09:19:10 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/07 09:19:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/06 17:34:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/06 17:33:59 | 000,000,000 | ---D | C] -- C:\Users\Name\AppData\Local\temp
[2010/04/06 17:08:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/04/06 16:08:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/06 15:08:18 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/06 14:37:38 | 000,000,000 | ---D | C] -- C:\AdobeTemp
[2010/04/06 08:51:18 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/06 08:35:48 | 000,036,488 | ---- | C] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmdb.sys
[2010/04/05 16:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/05 15:15:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/04/05 15:15:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/04/05 15:15:44 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/04/05 15:12:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/05 09:58:10 | 000,000,000 | ---D | C] -- C:\Users\Name\AppData\Local\Threat Expert
[2010/04/05 09:57:44 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll.old
[2010/04/05 09:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/04 19:31:40 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/04/04 19:13:43 | 000,000,000 | ---D | C] -- C:\Users\Name\Documents\ADHD
[2010/04/02 23:16:14 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2010/04/02 23:16:14 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2010/04/02 23:16:14 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2010/04/02 23:16:14 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2010/04/02 18:32:38 | 000,000,000 | ---D | C] -- C:\ProgramData\avG
[2010/04/02 16:19:57 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/04/02 14:51:55 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/04/02 14:33:31 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Open this folder to INSTALL FCAD to a hard disk
[2010/04/02 14:26:21 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2010/04/02 14:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/04/02 14:04:08 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/02 09:55:24 | 000,000,000 | -HSD | C] -- C:\Users\Name\.COMMgr
[2010/02/24 11:11:14 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Name\AppData\Roaming\pcouffin.sys
[2010/02/10 19:58:25 | 003,200,960 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\vcredist_x64.exe
[2010/02/10 19:58:23 | 002,723,264 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\vcredist_x86.exe

========== Files - Modified Within 14 Days ==========

[2010/04/08 13:46:06 | 012,058,624 | -HS- | M] () -- C:\Users\Name\ntuser.dat
[2010/04/08 13:13:17 | 000,220,113 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/04/08 13:13:17 | 000,220,113 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/04/08 13:06:57 | 000,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/08 13:06:57 | 000,003,680 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/08 13:06:52 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/08 13:06:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/08 13:06:38 | 3219,562,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/08 13:05:33 | 000,524,288 | -HS- | M] () -- C:\Users\Name\ntuser.dat{0f7d2773-2e87-11de-a6ec-0017540001e7}.TMContainer00000000000000000001.regtrans-ms
[2010/04/08 13:05:33 | 000,065,536 | -HS- | M] () -- C:\Users\Name\ntuser.dat{0f7d2773-2e87-11de-a6ec-0017540001e7}.TM.blf
[2010/04/08 13:04:25 | 003,876,609 | -H-- | M] () -- C:\Users\Name\AppData\Local\IconCache.db
[2010/04/07 18:07:51 | 000,000,396 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{BA1573A7-7023-46A7-94EA-394A360AE662}.job
[2010/04/07 09:19:18 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/07 08:04:00 | 741,264,236 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/06 17:30:08 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/04/06 17:07:59 | 003,908,251 | R--- | M] () -- C:\Users\Name\Desktop\ComboFix.exe
[2010/04/06 16:59:44 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2010/04/06 16:57:31 | 000,158,696 | ---- | M] () -- C:\Windows\System32\GDIPFONTCACHEV1.DAT
[2010/04/06 16:55:56 | 002,420,816 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/06 14:47:00 | 000,575,372 | ---- | M] () -- C:\Users\Name\Desktop\Calendar Pre.CSV
[2010/04/06 14:32:44 | 001,409,197 | ---- | M] () -- C:\Users\Name\Desktop\Calendar.CSV
[2010/04/06 14:32:42 | 000,012,961 | ---- | M] () -- C:\Users\Name\AppData\Roaming\Comma Separated Values (DOS).CAL
[2010/04/06 14:30:01 | 000,011,554 | -HS- | M] () -- C:\Users\Name\AppData\Local\73EjHXD
[2010/04/06 14:30:01 | 000,011,554 | -HS- | M] () -- C:\ProgramData\73EjHXD
[2010/04/06 08:35:48 | 000,036,488 | ---- | M] (Kaspersky Lab, SLA) -- C:\Windows\System32\drivers\klmdb.sys
[2010/04/05 16:51:08 | 000,000,744 | ---- | M] () -- C:\Users\Name\Desktop\NTREGOPT.lnk
[2010/04/05 16:51:07 | 000,000,725 | ---- | M] () -- C:\Users\Name\Desktop\ERUNT.lnk
[2010/04/05 16:28:51 | 000,001,096 | ---- | M] () -- C:\Users\Name\Desktop\Spybot - Search & Destroy.lnk
[2010/04/05 11:22:24 | 000,841,320 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/04 12:05:00 | 000,015,944 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/04/02 17:38:30 | 000,000,097 | ---- | M] () -- C:\Windows\System32\imon1.dat
[2010/04/02 14:26:21 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/04/07 09:19:18 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/06 14:32:43 | 001,409,197 | ---- | C] () -- C:\Users\Name\Desktop\Calendar.CSV
[2010/04/06 14:32:06 | 000,575,372 | ---- | C] () -- C:\Users\Name\Desktop\Calendar Pre.CSV
[2010/04/06 14:31:16 | 000,012,961 | ---- | C] () -- C:\Users\Name\AppData\Roaming\Comma Separated Values (DOS).CAL
[2010/04/06 13:45:06 | 000,011,554 | -HS- | C] () -- C:\Users\Name\AppData\Local\73EjHXD
[2010/04/06 13:45:06 | 000,011,554 | -HS- | C] () -- C:\ProgramData\73EjHXD
[2010/04/05 16:52:32 | 000,293,376 | ---- | C] () -- C:\Users\Name\Desktop\gmer.exe
[2010/04/05 16:51:08 | 000,000,744 | ---- | C] () -- C:\Users\Name\Desktop\NTREGOPT.lnk
[2010/04/05 16:51:07 | 000,000,725 | ---- | C] () -- C:\Users\Name\Desktop\ERUNT.lnk
[2010/04/05 15:15:45 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/04/05 15:15:45 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/04/05 15:15:44 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/04/05 15:15:44 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/04/05 15:15:44 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/04/05 15:08:51 | 003,908,251 | R--- | C] () -- C:\Users\Name\Desktop\ComboFix.exe
[2010/04/04 09:50:44 | 741,264,236 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/04/02 23:24:19 | 000,001,096 | ---- | C] () -- C:\Users\Name\Desktop\Spybot - Search & Destroy.lnk
[2010/04/02 19:23:16 | 3219,562,496 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/02 14:04:26 | 000,015,944 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/03/10 15:46:12 | 006,135,603 | ---- | C] () -- C:\Windows\System32\lapack_win32.dll
[2010/03/10 15:46:12 | 000,622,281 | ---- | C] () -- C:\Windows\System32\blas_win32.dll
[2010/03/02 10:48:04 | 000,009,688 | -HS- | C] () -- C:\Users\Name\AppData\Local\OFxpHxrn768uh
[2010/02/24 11:12:37 | 000,000,034 | ---- | C] () -- C:\Users\Name\AppData\Roaming\pcouffin.log
[2010/02/24 11:11:14 | 000,007,887 | ---- | C] () -- C:\Users\Name\AppData\Roaming\pcouffin.cat
[2010/02/24 11:11:14 | 000,001,144 | ---- | C] () -- C:\Users\Name\AppData\Roaming\pcouffin.inf
[2010/02/16 18:26:22 | 000,000,024 | ---- | C] () -- C:\Windows\SCAux.INI
[2010/02/16 14:57:19 | 000,000,084 | ---- | C] () -- C:\Windows\xfit.INI
[2010/02/12 15:24:49 | 000,000,000 | ---- | C] () -- C:\Windows\MS.INI
[2010/02/11 17:03:10 | 000,000,383 | ---- | C] () -- C:\Windows\System32\haspdos.sys
[2010/02/11 15:35:03 | 000,000,000 | ---- | C] () -- C:\Windows\McHmm.INI
[2010/02/10 20:12:36 | 000,256,256 | ---- | C] () -- C:\Windows\System32\SentinelFilter.sys
[2010/02/10 19:46:22 | 000,080,384 | ---- | C] () -- C:\Windows\System32\UTILS.DLL
[2010/02/10 19:46:22 | 000,061,440 | ---- | C] () -- C:\Windows\System32\_FSTDIO.DLL
[2010/02/10 19:46:22 | 000,015,360 | ---- | C] () -- C:\Windows\System32\WIN_CHNG.DLL
[2010/02/10 19:46:17 | 000,120,832 | ---- | C] () -- C:\Windows\System32\CLASSES.DLL
[2010/02/10 19:46:17 | 000,021,504 | ---- | C] () -- C:\Windows\System32\LISTBOX.DLL
[2010/02/10 19:45:21 | 000,009,552 | ---- | C] () -- C:\Windows\System32\INETWH16.DLL
[2010/02/09 08:55:20 | 000,000,024 | ---- | C] () -- C:\Users\Name\AppData\Roaming\sgcpom.dat
[2010/02/03 09:24:16 | 000,038,431 | ---- | C] () -- C:\Users\Name\AppData\Roaming\Comma Separated Values (DOS).ADR
[2009/10/30 11:42:47 | 010,959,271 | ---- | C] () -- C:\Users\Name\Henry B Eyring - Choose This Day.mp4
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/01 09:38:11 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/14 15:29:30 | 000,462,848 | ---- | C] () -- C:\Windows\System32\ractrlkeyhook.dll
[2009/04/21 13:26:56 | 000,211,481 | ---- | C] () -- C:\Program Files\SolidWorksswxJRNL.BAK
[2009/04/21 10:00:38 | 000,524,288 | -HS- | C] () -- C:\Users\Name\ntuser.dat{0f7d2773-2e87-11de-a6ec-0017540001e7}.TMContainer00000000000000000002.regtrans-ms
[2009/04/21 10:00:38 | 000,524,288 | -HS- | C] () -- C:\Users\Name\ntuser.dat{0f7d2773-2e87-11de-a6ec-0017540001e7}.TMContainer00000000000000000001.regtrans-ms
[2009/04/21 10:00:38 | 000,065,536 | -HS- | C] () -- C:\Users\Name\ntuser.dat{0f7d2773-2e87-11de-a6ec-0017540001e7}.TM.blf
[2009/04/21 07:23:00 | 000,524,288 | -HS- | C] () -- C:\Users\Name\ntuser.dat{8af41cb5-2e76-11de-865f-0017540001e7}.TMContainer00000000000000000002.regtrans-ms
[2009/04/21 07:23:00 | 000,524,288 | -HS- | C] () -- C:\Users\Name\ntuser.dat{8af41cb5-2e76-11de-865f-0017540001e7}.TMContainer00000000000000000001.regtrans-ms
[2009/04/21 07:23:00 | 000,065,536 | -HS- | C] () -- C:\Users\Name\ntuser.dat{8af41cb5-2e76-11de-865f-0017540001e7}.TM.blf
[2009/02/19 10:26:21 | 000,015,360 | ---- | C] () -- C:\Windows\System32\ibfs32.dll
[2009/02/19 10:11:37 | 000,000,000 | ---- | C] () -- C:\Windows\eDrawingOfficeAutomator.INI
[2009/02/11 15:32:38 | 000,007,310 | ---- | C] () -- C:\Users\Name\ac3dprefs.txt
[2009/01/14 12:59:38 | 000,000,088 | RHS- | C] () -- C:\ProgramData\DDECA83AFF.sys
[2009/01/14 12:59:37 | 000,001,004 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2009/01/14 12:59:15 | 000,000,000 | -H-- | C] () -- C:\Users\Name\AppData\Roaming\ActUpdate.log
[2008/11/06 13:44:48 | 000,015,424 | ---- | C] () -- C:\Windows\System32\drivers\nod32drv.sys
[2008/10/24 13:59:09 | 000,691,696 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys
[2008/09/11 14:06:49 | 000,413,154 | ---- | C] () -- C:\Program Files\Test_1_Output_1.bmp
[2008/09/11 14:06:48 | 000,001,797 | ---- | C] () -- C:\Program Files\Test.htm
[2008/09/09 15:58:08 | 000,010,752 | ---- | C] () -- C:\Windows\System32\DWFPortMon3.dll
[2008/08/27 09:46:53 | 000,220,113 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/08/27 09:46:53 | 000,220,113 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/08/07 13:30:24 | 000,002,740 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2008/06/18 15:59:56 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2008/06/06 09:37:16 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2008/04/12 14:09:53 | 000,004,096 | -H-- | C] () -- C:\Users\Name\AppData\Local\keyfile3.drm
[2007/12/28 12:54:03 | 000,060,744 | ---- | C] () -- C:\Users\Name\g2mdlhlpx.exe
[2007/12/05 18:25:28 | 000,057,344 | R--- | C] () -- C:\Windows\System32\MKLAccess.dll
[2007/11/03 10:26:58 | 000,000,000 | ---- | C] () -- C:\Windows\_delis32.ini
[2007/10/18 17:22:31 | 000,001,052 | ---- | C] () -- C:\Users\Name\XrxWm.ini
[2007/08/29 17:13:26 | 000,004,352 | ---- | C] () -- C:\Windows\System32\drivers\DAQRES.SYS
[2007/08/29 17:12:55 | 000,225,280 | ---- | C] () -- C:\Windows\System32\CVTTURBO.DLL
[2007/08/29 17:12:54 | 000,086,016 | ---- | C] () -- C:\Windows\System32\DAQGRID.DLL
[2007/08/29 17:12:54 | 000,046,080 | ---- | C] () -- C:\Windows\System32\DAQCOMP.DLL
[2007/08/29 17:12:53 | 000,026,624 | ---- | C] () -- C:\Windows\System32\WRTBLK32.DLL
[2007/08/29 17:12:46 | 000,044,544 | ---- | C] () -- C:\Windows\System32\GKMTRS32.DLL
[2007/08/29 17:12:44 | 000,221,255 | ---- | C] () -- C:\Windows\System32\iotdaqinst0.dll
[2007/08/29 17:12:34 | 000,040,960 | ---- | C] () -- C:\Windows\System32\CHARTX32.DLL
[2007/08/21 21:46:34 | 000,059,160 | ---- | C] () -- C:\Windows\System32\zlib.dll
[2007/08/01 16:01:04 | 000,091,648 | ---- | C] () -- C:\Users\Name\gzip.exe
[2007/07/25 10:09:04 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/07/23 09:03:32 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/07/23 09:03:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2007/07/23 08:14:41 | 000,110,864 | ---- | C] () -- C:\Windows\System32\XBUninst.dll
[2007/07/13 14:13:03 | 000,000,095 | ---- | C] () -- C:\Users\Name\AppData\Local\fusioncache.dat
[2007/07/13 08:10:00 | 000,001,000 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/07/12 16:40:02 | 000,153,505 | ---- | C] () -- C:\Users\Name\AppData\Roaming\nvModes.dat
[2007/07/12 16:40:02 | 000,153,505 | ---- | C] () -- C:\Users\Name\AppData\Roaming\nvModes.001
[2007/07/12 16:24:06 | 000,045,056 | ---- | C] () -- C:\Windows\System32\CMDRVRMU.DLL
[2007/07/12 16:23:58 | 000,004,672 | ---- | C] () -- C:\Windows\CMUDAU.INI
[2007/07/12 16:18:01 | 000,524,288 | -HS- | C] () -- C:\Users\Name\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
[2007/07/12 16:18:01 | 000,524,288 | -HS- | C] () -- C:\Users\Name\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
[2007/07/12 16:18:01 | 000,262,144 | -H-- | C] () -- C:\Users\Name\ntuser.dat.LOG1
[2007/07/12 16:18:01 | 000,065,536 | -HS- | C] () -- C:\Users\Name\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
[2007/07/12 16:18:01 | 000,000,020 | -HS- | C] () -- C:\Users\Name\ntuser.ini
[2007/07/12 16:18:01 | 000,000,000 | -H-- | C] () -- C:\Users\Name\ntuser.dat.LOG2
[2007/07/12 16:18:00 | 012,058,624 | -HS- | C] () -- C:\Users\Name\ntuser.dat
[2007/07/12 16:18:00 | 007,340,032 | -HS- | C] () -- C:\Users\Name\ntuser.dat_previous
[2007/05/30 22:10:03 | 000,524,288 | -HS- | C] () -- C:\ProgramData\ntuser.dat{087812de-0f2c-11dc-8974-0016d4f84ab9}.TMContainer00000000000000000002.regtrans-ms
[2007/05/30 22:10:03 | 000,065,536 | -HS- | C] () -- C:\ProgramData\ntuser.dat{087812de-0f2c-11dc-8974-0016d4f84ab9}.TM.blf
[2007/05/30 22:10:02 | 000,524,288 | -HS- | C] () -- C:\ProgramData\ntuser.dat{087812ce-0f2c-11dc-8974-0016d4f84ab9}.TMContainer00000000000000000002.regtrans-ms
[2007/05/30 22:10:02 | 000,262,144 | ---- | C] () -- C:\ProgramData\ntuser.dat
[2007/05/30 22:10:02 | 000,065,536 | -HS- | C] () -- C:\ProgramData\ntuser.dat{087812ce-0f2c-11dc-8974-0016d4f84ab9}.TM.blf
[2007/05/30 22:10:02 | 000,005,120 | -H-- | C] () -- C:\ProgramData\ntuser.dat.LOG1
[2007/05/30 22:10:02 | 000,000,000 | -H-- | C] () -- C:\ProgramData\ntuser.dat.LOG2
[2007/05/30 21:54:29 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/05/30 21:54:29 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/05/30 21:54:29 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/05/30 21:54:29 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/05/30 21:54:29 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/05/30 21:54:29 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/05/30 20:27:20 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/05/30 20:26:27 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2007/05/30 20:20:31 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/05/30 20:20:31 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/05/30 20:20:31 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/05/30 20:20:31 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007/03/11 02:18:48 | 000,163,840 | ---- | C] () -- C:\Windows\System32\nvccoin.dll
[2007/03/09 13:58:40 | 001,691,808 | ---- | C] () -- C:\Windows\System32\drivers\lvckap.sys
[2007/03/09 12:20:10 | 000,050,127 | ---- | C] () -- C:\Windows\System32\drivers\lcoinst.ini
[2007/03/06 17:54:04 | 000,995,328 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2007/02/26 00:42:22 | 000,053,248 | ---- | C] () -- C:\Windows\System32\ArmAccess.dll
[2006/12/05 14:05:06 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/02 06:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 11:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/11/23 15:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005/07/22 22:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/01/14 12:45:08 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\ACT
[2008/10/28 10:50:33 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Astroburn
[2009/02/11 17:06:49 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Autodesk
[2010/02/17 14:43:09 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\com.adobe.ExMan
[2009/04/21 09:49:14 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DAEMON Tools
[2010/02/11 13:34:02 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DAEMON Tools Lite
[2009/05/05 20:26:08 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DassaultSystemes
[2009/03/11 13:04:47 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DNA
[2010/02/27 01:01:00 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DVDFab
[2009/02/19 10:14:59 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\DWGeditor
[2010/02/12 15:32:53 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\editNC
[2008/02/27 19:26:45 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Firaxis Games
[2010/02/10 15:12:19 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Flexsim
[2008/02/12 15:26:09 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Flexsim4
[2010/03/24 11:47:55 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\IM
[2009/01/14 12:59:36 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\IsolatedStorage
[2010/03/19 10:14:05 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\MioNetApplet
[2009/04/15 16:41:26 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\NewsLeecher
[2007/08/03 08:20:01 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Opera
[2008/02/29 10:23:29 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Palo Alto Software
[2008/07/11 14:04:49 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Subversion
[2007/12/03 08:28:51 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\TOSHIBA
[2010/02/27 01:19:22 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Vso
[2009/04/07 11:08:46 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\webex
[2007/08/08 08:15:57 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\WinBatch
[2008/10/15 12:16:24 | 000,000,000 | ---D | M] -- C:\Users\Name\AppData\Roaming\Xerox
[2010/04/08 13:05:17 | 000,032,598 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/04/07 18:07:51 | 000,000,396 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{BA1573A7-7023-46A7-94EA-394A360AE662}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:64217CD0
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >

#15 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 08 April 2010 - 01:54 PM

hi

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2010/04/06 13:45:06 | 000,011,554 | -HS- | C] () -- C:\Users\Brandon\AppData\Local\73EjHXD
[2010/04/06 13:45:06 | 000,011,554 | -HS- | C] () -- C:\ProgramData\73EjHXD
[2010/03/02 10:48:04 | 000,009,688 | -HS- | C] () -- C:\Users\Brandon\AppData\Local\OFxpHxrn768uh

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
Please follow the prompts to uninstall Combofix.
You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Open OTL
Under the Custom Scans/Fixes box at the bottom, paste the following:
```
:Commands
[clearallrestorepoints]
[createrestorepoint]
```
Click the Run Fix button at the top
It might ask you to reboot, if so click YES

Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
Click on the CleanUp button.
Click Yes to begin the cleanup process and remove tools, including this application
You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Please read my guide on how to prevent malware and about safe computing here

Google Redirect - Persists after following general instructions [Solve - Geeks to Go Forums