Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor Win32 from Toshiba maybe RTK [Closed]


  • This topic is locked This topic is locked

#1
bluemoonfla

bluemoonfla

    New Member

  • Member
  • Pip
  • 4 posts
This new laptop showed problems right out of the box. I spent days with Toshiba tech-support and they admit they put some crud on their machines that runs media sharing hidden. After they suggested removal of factory recovery/oem partition and clean Windows 7 install (using my licensed Windows 7 HP disk) I still feel there is some problem. Disabled as much "Media Player Sharing" as I can find. My avast seems corrupt, as I notice there is no file signature for the update application. (ticket submitted to Avast today)
Have removed IE8 using Windows Features, installed firefox and thunderbird.
See references in registry to Biz Talk Server 2004, what is that about?
Avast Firewall Log shows repeated inbound connections "blocked" not sure if they really are due to possible corruption, from locations in China and Germany...lol, I don't know anyone in either place.
Help Please!! Need my pc to be secure since I store bookkeeping and tax info for clients (Home based bookkeeping service)Mbam runs clean, Avast runs clean (keeps no logs even tho I tried to turn on)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4082

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/9/2010 9:35:00 AM
mbam-log-2010-05-09 (09-35-00).txt

Scan type: Quick scan
Objects scanned: 118663
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Gmer:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-09 09:59:16
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\MomBug\AppData\Local\Temp\kglcqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwAlpcSendWaitReceivePort [0x8A81B6B4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEvent [0x8A81AF84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEventPair [0x8A81B008]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateIoCompletion [0x8A81B1A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateMutant [0x8A81AE80]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSection [0x8A81B084]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSemaphore [0x8A81AF02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateTimer [0x8A81B124]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwLoadDriver [0x8A8192E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEvent [0x8A81AFCA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEventPair [0x8A81B046]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenIoCompletion [0x8A81B1E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenMutant [0x8A81AEC4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSection [0x8A81B0DA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSemaphore [0x8A81AF46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenTimer [0x8A81B166]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryObject [0x8A819E4A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePort [0x8A81BB0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePortEx [0x8A81B672]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSetSystemInformation [0x8A819352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwShutdownSystem [0x8A81948E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSystemDebugControl [0x8A8194A0]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C29AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C29104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C293F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C11634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C11898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C291DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C29958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C296F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C29F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81C2A1A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8AEAC50A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81C89599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81CADF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 28C 81CB579C 4 Bytes [B4, B6, 81, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F0 81CB5800 8 Bytes [84, AF, 81, 8A, 08, B0, 81, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 2FC 81CB580C 4 Bytes JMP 037CFC92
.text ntkrnlpa.exe!RtlSidHashLookup + 318 81CB5828 4 Bytes [80, AE, 81, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 340 81CB5850 8 Bytes [84, B0, 81, 8A, 02, AF, 81, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81E4EFA7 5 Bytes JMP 8AEA84AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 81E68CA7 5 Bytes JMP 8AEA99E4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81F20EAA 7 Bytes JMP 8AEAC50E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8B43E000, 0x227A14, 0xE8000020]
.text peauth.sys 92F6CC9D 28 Bytes [4F, E1, CF, 97, 6E, DE, 19, ...]
.text peauth.sys 92F6CCC1 28 Bytes [4F, E1, CF, 97, 6E, DE, 19, ...]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

OLT:
OTL logfile created on: 5/9/2010 10:03:53 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\MicheLLE\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 220.72 Gb Free Space | 94.82% Space Free | Partition Type: NTFS
Drive D: | 100.00 Mb Total Space | 84.74 Mb Free Space | 84.74% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BLUES-PC
Current User Name: MomBug
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/09 09:08:05 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\MicheLLE\Desktop\OTL.exe
PRC - [2010/04/14 11:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/04/14 11:46:53 | 000,119,200 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\afwServ.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/26 07:35:02 | 000,819,600 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
PRC - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe


========== Modules (SafeList) ==========

MOD - [2010/05/09 09:08:05 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\MicheLLE\Desktop\OTL.exe
MOD - [2010/04/14 11:36:14 | 000,140,800 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxBorder.dll
MOD - [2010/04/14 11:33:44 | 000,140,288 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/05 16:28:34 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 11:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/04/14 11:46:53 | 000,119,200 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2009/09/26 07:35:02 | 000,819,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE -- (cvhsvc)
SRV - [2009/09/26 04:28:22 | 004,639,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE -- (osppsvc)
SRV - [2009/09/23 15:04:56 | 000,203,608 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2009/09/23 15:04:52 | 000,447,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2009/08/18 02:36:08 | 000,176,128 | ---- | M] (AMD) [Disabled | Stopped] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 11:37:30 | 000,102,736 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2010/04/14 11:37:13 | 000,297,552 | ---- | M] (ALWIL Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2010/04/14 11:36:53 | 000,196,048 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 11:31:23 | 000,051,792 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/03/19 15:10:13 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/09/23 15:04:56 | 000,021,848 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2009/09/23 15:04:56 | 000,014,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftVollh.sys -- (sftvol)
DRV - [2009/09/23 15:04:54 | 000,190,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys -- (sftplay)
DRV - [2009/09/23 15:04:50 | 000,543,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\drivers\SftFSlh.sys -- (sftfs)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/03/01 23:05:32 | 000,139,776 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2007/11/09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-780369010-2013149336-390633494-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/09 09:59:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/09 07:41:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/05/09 08:04:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/05/09 09:59:57 | 000,000,000 | ---D | M] -- C:\Users\MomBug\AppData\Roaming\Mozilla\Extensions
[2010/05/09 08:04:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MomBug\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/05/09 09:59:57 | 000,000,000 | ---D | M] -- C:\Users\MomBug\AppData\Roaming\Mozilla\Firefox\Profiles\7zhfyw0z.default\extensions
[2010/05/09 07:41:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (ALWIL Software)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2010/05/08 06:41:09 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/09 09:59:56 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\Mozilla
[2010/05/09 09:29:14 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Roaming\Malwarebytes
[2010/05/09 09:29:09 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/09 09:29:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/09 09:29:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/09 09:28:30 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/09 09:27:44 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/09 09:25:02 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Searches
[2010/05/09 09:24:57 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Roaming\Identities
[2010/05/09 09:24:54 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Contacts
[2010/05/09 09:24:46 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\VirtualStore
[2010/05/09 09:17:40 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\MomBug\Desktop\TFC.exe
[2010/05/09 08:04:50 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Roaming\Thunderbird
[2010/05/09 08:04:50 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\Thunderbird
[2010/05/09 08:04:50 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Roaming\Mozilla
[2010/05/09 08:04:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2010/05/09 07:41:34 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/09 07:31:21 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\ElevatedDiagnostics
[2010/05/09 05:23:25 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications
[2010/05/08 10:08:08 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\AppData\Local\Temporary Internet Files
[2010/05/08 10:08:08 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Templates
[2010/05/08 10:08:08 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Local Settings
[2010/05/08 10:08:08 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\AppData\Local\History
[2010/05/08 10:08:08 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\AppData\Local\Application Data
[2010/05/08 10:08:07 | 000,000,000 | --SD | C] -- C:\Users\MomBug\AppData\Roaming\Microsoft
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Videos
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Saved Games
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Pictures
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Music
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Links
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Favorites
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Downloads
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\My Documents
[2010/05/08 10:08:07 | 000,000,000 | R--D | C] -- C:\Users\MomBug\Desktop
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Start Menu
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\SendTo
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Recent
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\PrintHood
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\NetHood
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Documents\My Videos
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Documents\My Pictures
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Documents\My Music
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\My Documents
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Cookies
[2010/05/08 10:08:07 | 000,000,000 | -HSD | C] -- C:\Users\MomBug\Application Data
[2010/05/08 10:08:07 | 000,000,000 | -H-D | C] -- C:\Users\MomBug\AppData
[2010/05/08 10:08:07 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\Temp
[2010/05/08 10:08:07 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Local\Microsoft
[2010/05/08 10:08:07 | 000,000,000 | ---D | C] -- C:\Users\MomBug\AppData\Roaming\Media Center Programs
[2010/05/08 09:53:36 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/05/08 09:53:36 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/05/08 09:53:34 | 000,297,552 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2010/05/08 09:53:32 | 000,102,736 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFW.sys
[2010/05/08 09:53:10 | 000,196,048 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2010/05/08 09:53:10 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/05/08 09:53:08 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/05/08 09:53:04 | 000,051,792 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/05/08 09:52:49 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010/05/08 09:52:49 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\Windows\System32\avastSS.scr
[2010/05/08 09:52:49 | 000,012,112 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis.sys
[2010/05/07 21:29:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/07 21:18:21 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/07 11:07:48 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2010/05/07 05:47:22 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2010/05/06 08:20:11 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/05/06 06:42:35 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\SoftGrid Client
[2010/05/06 06:41:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/05/06 06:41:39 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2010/05/06 06:41:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/05/06 06:41:38 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client
[2010/05/06 06:27:49 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2010/05/05 17:57:20 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2010/05/05 17:57:06 | 000,000,000 | -HSD | C] -- C:\Boot
[2010/05/05 17:01:13 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2010/05/05 16:58:24 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2010/05/05 16:58:04 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2010/05/05 16:28:36 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/05/05 14:07:32 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2010/05/05 14:07:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/05/05 14:07:25 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/05 13:18:13 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/05/05 13:18:13 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/05/05 13:18:13 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/05/05 13:18:12 | 002,614,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2010/05/05 13:18:08 | 000,427,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/05/05 13:17:33 | 001,037,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2010/05/05 13:17:33 | 000,133,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecpkg.sys
[2010/05/05 13:17:32 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2010/05/05 13:17:21 | 001,320,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CertEnroll.dll
[2010/05/05 13:17:21 | 000,507,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winload.exe
[2010/05/05 13:17:21 | 000,442,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winresume.exe
[2010/05/05 13:17:18 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll
[2010/05/05 13:17:18 | 000,465,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2010/05/05 13:17:18 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2010/05/05 13:17:17 | 003,954,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/05/05 13:17:17 | 003,899,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/05/05 13:17:16 | 000,369,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc.dll
[2010/05/05 13:17:16 | 000,365,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_isv.dll
[2010/05/05 13:17:16 | 000,324,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_isv.exe
[2010/05/05 13:17:16 | 000,320,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate.exe
[2010/05/05 13:17:16 | 000,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp.exe
[2010/05/05 13:17:16 | 000,277,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RMActivate_ssp_isv.exe
[2010/05/05 13:17:16 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp_isv.dll
[2010/05/05 13:17:16 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secproc_ssp.dll
[2010/05/05 13:17:15 | 001,328,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2010/05/05 13:17:15 | 000,293,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/05/05 13:17:15 | 000,108,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/05/05 13:17:15 | 000,091,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2010/05/05 13:17:15 | 000,084,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciavi32.dll
[2010/05/05 13:17:14 | 000,070,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/05/05 13:17:13 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/05/05 13:16:24 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/05 13:10:38 | 000,000,000 | -HSD | C] -- C:\Recovery

========== Files - Modified Within 30 Days ==========

[2010/05/09 10:05:33 | 000,524,288 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT
[2010/05/09 09:29:53 | 000,015,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/09 09:29:53 | 000,015,472 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/09 09:29:11 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/09 09:28:56 | 000,640,672 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/09 09:28:56 | 000,559,464 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/09 09:28:56 | 000,089,054 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/09 09:27:44 | 000,000,894 | ---- | M] () -- C:\Users\MomBug\Desktop\NTREGOPT.lnk
[2010/05/09 09:27:44 | 000,000,875 | ---- | M] () -- C:\Users\MomBug\Desktop\ERUNT.lnk
[2010/05/09 09:24:36 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/09 09:24:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/09 09:24:21 | 1408,045,056 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/09 09:17:41 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\MomBug\Desktop\TFC.exe
[2010/05/09 08:04:52 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/05/09 08:04:47 | 000,001,951 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2010/05/09 07:41:40 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/05/09 05:57:32 | 000,007,158 | ---- | M] () -- C:\Users\MomBug\Documents\cc_20100509_055544.reg
[2010/05/09 05:53:51 | 000,001,831 | ---- | M] () -- C:\Users\MomBug\Desktop\CCleaner.lnk
[2010/05/09 05:45:13 | 000,524,288 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TMContainer00000000000000000002.regtrans-ms
[2010/05/09 05:45:13 | 000,524,288 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TMContainer00000000000000000001.regtrans-ms
[2010/05/09 05:45:13 | 000,065,536 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TM.blf
[2010/05/09 05:13:50 | 000,000,057 | ---- | M] () -- C:\Windows\System32\mapisvc.inf
[2010/05/08 23:32:42 | 000,057,560 | ---- | M] () -- C:\Users\MomBug\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/05/08 10:10:05 | 000,524,288 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/05/08 10:10:05 | 000,524,288 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/05/08 10:10:05 | 000,065,536 | -HS- | M] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/05/08 10:08:08 | 000,000,020 | -HS- | M] () -- C:\Users\MomBug\ntuser.ini
[2010/05/08 09:53:37 | 000,002,005 | ---- | M] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2010/05/08 09:53:04 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/05/08 07:45:00 | 000,088,301 | ---- | M] () -- C:\Windows\System32\wfpdiag.cab
[2010/05/08 06:54:44 | 000,879,353 | ---- | M] () -- C:\Windows\System32\wfpstate.xml
[2010/05/05 17:57:08 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/05/05 17:01:27 | 000,041,962 | ---- | M] () -- C:\Windows\System32\license.rtf
[2010/05/05 17:00:01 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2010/05/05 13:24:24 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/14 11:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\Windows\System32\avastSS.scr
[2010/04/14 11:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010/04/14 11:37:30 | 000,102,736 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswFW.sys
[2010/04/14 11:37:13 | 000,297,552 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2010/04/14 11:36:53 | 000,196,048 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/04/14 11:31:23 | 000,051,792 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys

========== Files Created - No Company Name ==========

[2010/05/09 09:29:11 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/09 09:27:44 | 000,000,894 | ---- | C] () -- C:\Users\MomBug\Desktop\NTREGOPT.lnk
[2010/05/09 09:27:44 | 000,000,875 | ---- | C] () -- C:\Users\MomBug\Desktop\ERUNT.lnk
[2010/05/09 08:04:52 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/05/09 08:04:47 | 000,001,951 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
[2010/05/09 07:41:40 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/05/09 05:56:06 | 000,007,158 | ---- | C] () -- C:\Users\MomBug\Documents\cc_20100509_055544.reg
[2010/05/09 05:53:51 | 000,001,831 | ---- | C] () -- C:\Users\MomBug\Desktop\CCleaner.lnk
[2010/05/09 05:45:12 | 000,524,288 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TMContainer00000000000000000002.regtrans-ms
[2010/05/09 05:45:12 | 000,524,288 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TMContainer00000000000000000001.regtrans-ms
[2010/05/09 05:45:12 | 000,065,536 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{12eb8c7d-5b57-11df-ad40-705ab687c305}.TM.blf
[2010/05/08 10:08:08 | 000,000,020 | -HS- | C] () -- C:\Users\MomBug\ntuser.ini
[2010/05/08 10:08:07 | 000,524,288 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
[2010/05/08 10:08:07 | 000,524,288 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
[2010/05/08 10:08:07 | 000,524,288 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT
[2010/05/08 10:08:07 | 000,262,144 | -HS- | C] () -- C:\Users\MomBug\ntuser.dat.LOG1
[2010/05/08 10:08:07 | 000,065,536 | -HS- | C] () -- C:\Users\MomBug\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
[2010/05/08 10:08:07 | 000,000,000 | -HS- | C] () -- C:\Users\MomBug\ntuser.dat.LOG2
[2010/05/08 09:53:37 | 000,002,005 | ---- | C] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2010/05/08 07:45:00 | 000,088,301 | ---- | C] () -- C:\Windows\System32\wfpdiag.cab
[2010/05/08 06:54:44 | 000,879,353 | ---- | C] () -- C:\Windows\System32\wfpstate.xml
[2010/05/05 17:57:08 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2010/05/05 17:57:07 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2010/05/05 17:00:01 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/05/05 16:58:05 | 1408,045,056 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/05/09 10:05:45 | 003,685,912 | ---- | M] () -- C:\atvastfilesyslog.txt
[2010/05/08 13:00:24 | 026,683,483 | ---- | M] () -- C:\avastfscan.txt6
[2010/05/08 23:22:37 | 001,491,420 | ---- | M] () -- C:\avastscn.txt
[2009/07/13 20:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2010/05/05 17:57:08 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2010/05/09 09:24:21 | 1408,045,056 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/09 09:24:22 | 1877,393,408 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/04/14 11:37:30 | 000,102,736 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswFW.sys
[2010/04/14 11:31:23 | 000,051,792 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/03/19 15:10:13 | 000,012,112 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis.sys
[2010/04/14 11:36:53 | 000,196,048 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswNdis2.sys
[2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/04/14 11:37:13 | 000,297,552 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/27 02:32:05 | 000,123,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/27 02:32:26 | 000,221,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/27 02:32:12 | 000,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys

< End of report >
OTL Extras logfile created on: 5/9/2010 10:03:53 AM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\MicheLLE\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.79 Gb Total Space | 220.72 Gb Free Space | 94.82% Space Free | Partition Type: NTFS
Drive D: | 100.00 Mb Total Space | 84.74 Mb Free Space | 84.74% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BLUES-PC
Current User Name: MomBug
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-780369010-2013149336-390633494-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20140000-006D-0409-0000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010 (Beta)
"{20140062-0062-0409-0000-0000000FF1CE}" = Microsoft Office Home and Business 2010 (Beta) - English
"avast5" = avast! Internet Security
"CCleaner" = CCleaner
"ERUNT_is1" = ERUNT 1.1j
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010 (Beta)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/8/2010 11:17:25 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {20140062-0062-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.


Error - 5/8/2010 7:59:53 PM | Computer Name = Blues-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: Access is denied.

Error - 5/9/2010 6:13:24 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. The action cannot be completed. Try the action again.
If the problem continues, contact Microsoft Product Support.

Error - 5/9/2010 6:34:17 AM | Computer Name = Blues-PC | Source = Schedule | ID = 0
Description =

Error - 5/9/2010 6:34:29 AM | Computer Name = Blues-PC | Source = Wininit | ID = 1015
Description = A critical system process, C:\Windows\system32\lsass.exe, failed with
status code 1. The machine must now be restarted.

Error - 5/9/2010 6:36:26 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. The action cannot be completed. Try the action again.
If the problem continues, contact Microsoft Product Support.

Error - 5/9/2010 6:39:25 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. The action cannot be completed. Try the action again.
If the problem continues, contact Microsoft Product Support.

Error - 5/9/2010 6:40:54 AM | Computer Name = Blues-PC | Source = Microsoft-Windows-CAPI2 | ID = 4110
Description = Failed to add certificate to Third-Party Root Certification Authorities
store with error: Access is denied.

Error - 5/9/2010 8:09:01 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. The action cannot be completed. Try the action again.
If the problem continues, contact Microsoft Product Support.

Error - 5/9/2010 10:24:44 AM | Computer Name = Blues-PC | Source = CVHSVC | ID = 100
Description = Information only. The action cannot be completed. Try the action again.
If the problem continues, contact Microsoft Product Support.

[ System Events ]
Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7038
Description = The BFE service was unable to log on as NT AUTHORITY\LocalService
with the currently configured password due to the following error: %%1722 To ensure
that the service is configured properly, use the Services snap-in in Microsoft
Management Console (MMC).

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7000
Description = The Base Filtering Engine service failed to start due to the following
error: %%1069

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7001
Description = The Windows Firewall service depends on the Base Filtering Engine
service which failed to start because of the following error: %%1069

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7038
Description = The DPS service was unable to log on as NT AUTHORITY\LocalService
with the currently configured password due to the following error: %%1722 To ensure
that the service is configured properly, use the Services snap-in in Microsoft
Management Console (MMC).

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7000
Description = The Diagnostic Policy Service service failed to start due to the following
error: %%1069

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7038
Description = The BFE service was unable to log on as NT AUTHORITY\LocalService
with the currently configured password due to the following error: %%1722 To ensure
that the service is configured properly, use the Services snap-in in Microsoft
Management Console (MMC).

Error - 5/9/2010 6:34:38 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7000
Description = The Base Filtering Engine service failed to start due to the following
error: %%1069

Error - 5/9/2010 6:36:07 AM | Computer Name = Blues-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:34:59 AM on ?5/?9/?2010 was unexpected.

Error - 5/9/2010 6:38:30 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7023
Description = The Security Center service terminated with the following error: %%1747

Error - 5/9/2010 8:23:57 AM | Computer Name = Blues-PC | Source = Service Control Manager | ID = 7034
Description = The Client Virtualization Handler service terminated unexpectedly.
It has done this 1 time(s).


< End of report >
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
bluemoonfla

bluemoonfla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I have run combofix as requested. I hatrouble with disabling avast, it still had a process running that I could not end even tho I had turned it off on my desktop. oTried taskmgr, taskkill.exe, resource/performance monitor "suspend", services...and it still showed as active when I ran the combofix. In registry editor, showed no users had access to HKLM\Software\ALwil\aVAST5, and when I opened permission editor...my user names were all gone and I was left with "ANONYMOUS LOGON" "IIS_IUSRS" "RESTRICTED" and a few more generic groups/names....but no administrators, users, or my user profile names.
Log file for combofix:
ComboFix 10-05-08.02 - MomBug 05/09/2010 15:16:17.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.1315 [GMT -5:00]
Running from: c:\users\MomBug\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-09 20:36 . 2010-05-09 20:36 -------- d-----w- c:\users\MicheLLE\AppData\Local\temp
2010-05-09 20:36 . 2010-05-09 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 14:27 . 2010-05-09 14:27 -------- d-----w- c:\program files\ERUNT
2010-05-09 14:24 . 2010-05-09 14:24 -------- d-----w- c:\users\MomBug\AppData\Local\VirtualStore
2010-05-09 13:12 . 2010-05-09 13:12 -------- d-----w- c:\users\MicheLLE\AppData\Local\Thunderbird
2010-05-09 13:12 . 2010-05-09 13:12 -------- d-----w- c:\users\MicheLLE\AppData\Roaming\Thunderbird
2010-05-09 13:04 . 2010-05-09 13:04 0 ----a-w- c:\windows\nsreg.dat
2010-05-09 13:04 . 2010-05-09 13:04 -------- d-----w- c:\users\MomBug\AppData\Local\Thunderbird
2010-05-09 13:04 . 2010-05-09 13:04 -------- d-----w- c:\users\MomBug\AppData\Roaming\Thunderbird
2010-05-09 13:04 . 2010-05-09 13:04 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-09 12:41 . 2010-05-09 12:41 -------- d-----w- c:\users\MicheLLE\AppData\Local\Mozilla
2010-05-09 12:31 . 2010-05-09 12:34 -------- d-----w- c:\users\MomBug\AppData\Local\ElevatedDiagnostics
2010-05-09 10:23 . 2010-05-09 10:24 -------- d-----w- c:\programdata\VirtualizedApplications
2010-05-09 04:32 . 2010-05-09 04:32 57560 ----a-w- c:\users\MomBug\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-08 14:53 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-08 14:53 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-08 14:53 . 2010-04-14 16:37 297552 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-05-08 14:53 . 2010-04-14 16:37 102736 ----a-w- c:\windows\system32\drivers\aswFW.sys
2010-05-08 14:53 . 2010-04-14 16:36 196048 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2010-05-08 14:53 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-08 14:53 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-08 14:53 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-08 14:52 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-08 14:52 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-08 14:52 . 2010-03-19 20:10 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2010-05-08 13:32 . 2010-05-08 13:32 57560 ----a-w- c:\users\MicheLLE\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-08 02:29 . 2010-05-09 14:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 02:18 . 2010-05-09 10:53 -------- d-----w- c:\program files\CCleaner
2010-05-07 16:07 . 2010-05-08 02:48 -------- d-----w- c:\program files\trend micro
2010-05-07 10:47 . 2010-05-08 02:13 -------- d-----w- c:\program files\Canon
2010-05-06 11:44 . 2010-05-08 11:06 -------- d-----w- c:\users\MicheLLE\AppData\Roaming\NVD
2010-05-06 11:44 . 2010-05-06 11:44 -------- d-----w- c:\users\MicheLLE\AppData\Local\NVD
2010-05-06 11:43 . 2010-05-06 11:43 -------- d-----w- c:\users\MicheLLE\AppData\Local\SoftGrid Client
2010-05-06 11:43 . 2010-05-09 12:23 -------- d-----w- c:\users\MicheLLE\AppData\Roaming\SoftGrid Client
2010-05-06 11:41 . 2010-05-06 11:41 -------- d-----w- c:\windows\PCHEALTH
2010-05-06 11:41 . 2010-05-08 11:34 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2010-05-06 11:40 . 2010-05-06 11:43 -------- d-----w- c:\users\MicheLLE\AppData\Roaming\TP
2010-05-06 11:27 . 2010-05-08 11:36 -------- d-----w- c:\windows\system32\Macromed
2010-05-05 22:57 . 2010-05-09 10:13 -------- d-----w- c:\windows\Panther
2010-05-05 22:57 . 2010-05-05 22:57 -------- d-----w- C:\Boot
2010-05-05 22:00 . 2010-05-05 22:00 0 ----a-w- c:\windows\ativpsrm.bin
2010-05-05 21:28 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-05 21:28 . 2010-05-08 11:36 -------- d-----w- c:\windows\system32\Wat
2010-05-05 21:17 . 2010-05-09 12:31 -------- d-----w- c:\users\MicheLLE\AppData\Local\Diagnostics
2010-05-05 19:07 . 2010-05-08 14:52 -------- d-sh--w- c:\windows\Installer
2010-05-05 19:07 . 2010-05-08 06:21 -------- d-----w- c:\programdata\Alwil Software
2010-05-05 19:07 . 2010-05-05 19:07 -------- d-----w- c:\program files\Alwil Software
2010-05-05 18:21 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-05 18:18 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-05-05 18:18 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-05 18:18 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-05-05 18:18 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-05-05 18:18 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-05-05 18:16 . 2010-02-24 15:16 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-05 18:12 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-05 18:12 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-05-05 18:12 . 2010-05-09 20:09 -------- d-----w- c:\windows\system32\wbem\Performance
2010-05-05 18:10 . 2010-05-05 18:10 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 15:38 . 2010-05-09 15:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-09 14:29 . 2010-05-09 14:29 -------- d-----w- c:\users\MomBug\AppData\Roaming\Malwarebytes
2010-05-09 14:29 . 2010-05-09 14:29 -------- d-----w- c:\programdata\Malwarebytes
2010-05-09 10:12 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2010-05-08 11:40 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2010-05-08 11:40 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-08 11:40 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-08 11:40 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Photo Viewer
2010-05-08 11:34 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-04-29 20:39 . 2010-05-09 14:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2010-05-09 14:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 12:07 . 2010-05-05 18:17 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07 . 2010-05-05 18:17 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 07:32 . 2010-05-05 18:17 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-27 07:32 . 2010-05-05 18:17 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-27 07:32 . 2010-05-05 18:17 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-04-14 16:33 140288 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2010-04-14 119200]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2009-09-26 4639136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-03-19 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2009-09-26 819600]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2009-09-23 447832]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-03-02 139776]
S3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\sftfslh.sys [2009-09-23 543064]
S3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplaylh.sys [2009-09-23 190312]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-09-23 21848]
S3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\sftvollh.sys [2009-09-23 14680]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2009-09-23 203608]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\users\MomBug\AppData\Roaming\Mozilla\Firefox\Profiles\7zhfyw0z.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-05-09 15:40:14
ComboFix-quarantined-files.txt 2010-05-09 20:40

Pre-Run: 236,394,520,576 bytes free
Post-Run: 236,411,117,568 bytes free

- - End Of File - - 2DC95F4C6A0EF0676DF8090F4EA0EAC1

This is a great way to spend Mothers Day! I wanted to go fishing with my kids!!
  • 0

#4
bluemoonfla

bluemoonfla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Since I'm here at the PC and not fishing, I'll pass on some more info about my situation.
For one thing, I am an excellent typist, but for some reason, each time I type the letter t my cursor jumps back and inserts letters in previous words...must be another curse by "Toshiba"I had a perfectly working 6 month old Vista Home Prem Toshiba L305D-7901 last August, until my hd starting making racket, and I went to my "friends" at Toshiba for support...and thanks to their "HDD patch" and a suggested bios flash my nice pc became a black plastic doorstop. Immediately afterwards, my Sony Vaio XP desktop (10 yrs old...great for the small kids to screw up) got realtek drivers, my teenagers Sony Vaio laptop did the same, and next thing I know everything in the house is a media sharing monster. We never used media sharing among our pc's...so I got suspicious that all of a sudden everything had the same hardware/driver config. Only one that seemed unaffected was oldest son's custom gaming pc running XP 64bit...weird...but then we had trouble with obtaining drivers for it ourselves. We began accusing each other of booting the other offline...constant "ip address conflict" messages....only one could get on the net at a time....strange things after using the same linksys router and setup for 3 years straight. Next thing I notice is digital TV boxes become posessed and wont power off, weird transmission messages on them at 2:00 am, digital phone svc from same provider seems to redirect phone calls, constant calls from unknown or strange toll free #'s, cell phones can't get signal,or put themselves on "airplane mode" constantly, and then start sending text msgs to people at exact time phone call is placed to them....
This goes on from Sept 09 to Feb 10...and I am losing my mind trying to figure it out. But I am the only one who sees something weird going on...(family ready to commit me to psycho ward)
With tax season approaching, I decide to purchase new laptop to do my business...after 4 attempts at local best buy (2 acers, 2 toshibas) and all seem to be afflicted even before I get on internet, insert any disk/flash drive etc of programs or files used on prev machines. 4th attempt, pay Best Buy extra $260 for Geek Squad Black Tie Setup/AntiVirus/Security etc. explaining my needs for no remote access, no autoconfig wireless, no incoming connections for sharing, no games, no fun stuff...I need to WORK!! pick it up at store 45 miles from home (they say its something in my house/neighborhood), stop by the Dairy Queen 2 miles from them, and power on.....guess what! Detects and connects to Dairy Queen Lobby wifi, "other network" and one other wireless network...
Back to Best Buy, mad as all get out...and find that Media Player/Center sharing is still on, Windows Live Msging ON, One Note ON, Games ON, all set to allow all incoming in firewall.....
needless to say I got every dime back including all paid for GEEK services. This toshiba from WalMart, turned on on military reservation land where you can't pick up anything...all signals jammed.
Checked it out, set everything I could find to be secure, tried to remove Norton 30 day trial, install kaspersky....ended up coming home with it and watching process of "toshiba value added package" and "toshiba quality package" begin to work their evil....have read the scripts...seen the files, and made them squirm about the "TV Tuner Set Top Box" infrared, corrupt services, corrupt ACE's, corrupt drivers
and told them..Hey you can remote access me to watch my Cable TV, you can remote access me to fix this PC! Watched it for 2 weeks transform itself, multiple reinstalls of OS, same windows updates over and over, repeated calls....
couldnt even do my College son's Financial Aid because fafsa.gov site says "your browser is not compatible" That was it....most IRS and other govt forms I user are pdf....and I can't get clean Adobe anything....
Sooo, just a warning, all these "exploits" Microsoft is addressing with their recent security updates, and everything you hear about Adobe, Google, Ie8 etc is being perpetrated by your "TrustedInstaller.exe" pc mfgs in China and Taiwan....
I told toshiba elevated Tech Engineer....I pay my cable/internet/phone bill and I bought this PC - I'm not sharing with you or anyone else. BUY YOUR OWN!!!
Today I get an email from Toshiba with a "registry patch" notice for my dead L305....I'm scared to even think what it might be!
Happy Happy Mom's Day! This 50 yr old single mom of four :) is going back to college to get certified in IT security....seems there will be big money in it soon!
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#6
bluemoonfla

bluemoonfla

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello Rorschach,
not sure what to do about result of Kaspersky Online Scanner attempt
see screen shot about Java error and Cert notification attached
Again, taskmgr shows activity with Avast even though my UI says all 10 features are disabled, so I wrote down a few details while I was attempting Kaspersky:

Process: AvastSvc.exe
PID: 1168
Session ID: 0
CPU: 00
User Name: SYSTEM
Description: Avast!Service
memory working set: 3016k
peak working set: 54388k
Handles: 1033
Threads: 53
IO Reads: 19355
Image Path: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
Command Line: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"

Would that be affecting any of these cleaning attempts? I know most of these tools say to disable the AV i am using, but I can't since it seems to be running in protected memory space

Mbam ran clean as always
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4082

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/10/2010 7:57:37 AM
mbam-log-2010-05-10 (07-57-37).txt

Scan type: Quick scan
Objects scanned: 120339
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

awaiting your assistance
bluemoonfla

Attached Thumbnails

  • ksyolserr.jpg

  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
update your anti-virus program avast, run a full scan, post that log
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP