Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I can't remove Antimalware Doctor [Solved]


  • This topic is locked This topic is locked

#16
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4266

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/1/2010 5:54:20 PM
mbam-log-2010-07-01 (17-54-20).txt

Scan type: Quick scan
Objects scanned: 133288
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\QNB2EB90WX (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0118775b-633b-4b4a-a777-8223d5872c62}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.63,93.188.161.203 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7ecda78c-a6b5-4284-8302-aad506b92c34}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.63,93.188.161.203 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\$NtUninstallWTF1012$ (Adware.EZLife) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\$NtUninstallWTF1012$\elUninstall.exe (Adware.EZLife) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
  • 0

Advertisements


#17
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Please try and run ComboFix using this method below:

Close all windows and try typing this command directly in and see if ComboFix runs.

Remember to use the " marks and there is a space between exe" and /killall

Start > Run > type "%userprofile%\desktop\combofix.exe" /killall

If ComboFix runs, please post the log.

----------------------------------------------------------------------------------------------------------

If ComboFix should not run then please proceed with running the following instructions:

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Edited by SweetTech, 01 July 2010 - 07:01 PM.

  • 0

#18
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hey SweetTech, do you know how to temporarily disable Malwarebytes? I don't want to uninstall it again. I don't have the registered version so I can't find the disable button. :)
  • 0

#19
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
You shouldn't need to disable MBAM. If you don't have the full version of it you should just be able to close out it.
  • 0

#20
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Combofix didn't work. :)

ESET Scan:

C:\Documents and Settings\user\Desktop\ComboFix.exe a variant of Win32/Kryptik.YI trojan
C:\Documents and Settings\user\Desktop\tghixdie.exe a variant of Win32/Kryptik.YI trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\All Users\Application Data\N1\N1.cab a variant of Win32/Kryptik.LF trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-3927db7b multiple threats
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\38\7a1f7ba6-443e4a69 multiple threats
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\50\28841372-6a121f25 OSX/Exploit.Smid.B trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\59\49784c7b-6f5a04c2 multiple threats
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\8\4c324188-73cb3b97 a variant of Java/Exploit.Agent.NAC trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1381299023222515781.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1783048471217430908.tmp a variant of OSX/Exploit.Smid.B trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache2039173355639884936.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache5019832304850413377.tmp a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Application Data\2d51d823.exe a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Application Data\FB8A85D1430B61387E4ACB006F2BBDB5\070700Setup.exe Win32/Adware.AntimalwareDoctor application
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Application Data\7306416.exe Win32/Adware.SpywareProtect2009 application
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Application Data\7306417.exe Win32/Cimag.CQ trojan
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\kgxn2.exe a variant of Win32/Kryptik.FDD trojan
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\Llr.exe a variant of Win32/Kryptik.FEP trojan
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\mdm.exe a variant of Win32/Kryptik.FDD trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\crvi32.dll a variant of Win32/Cimag.CV trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\ihosepefoqesoda.dll a variant of Win32/Cimag.CK trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\Ldurua.exe Win32/TrojanDownloader.FakeAlert.AQI trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\ckftt.dll a variant of Win32/Adware.Lifze.M application
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\ernel32.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\gkftt.dll Win32/Adware.Lifze.M application
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\tkftt.exe Win32/Adware.Lifze.M application
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\31e9aAA9.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\31uOC17u.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\3e79k179.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\55q5w.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\A317s31s9.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\eIQ317.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\w1uOCEIQ.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\317iQ17c.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\5cEIQ.dll a variant of Win32/Kryptik.FGR trojan
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\sK55g.dll a variant of Win32/Kryptik.FGR trojan
  • 0

#21
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

How are things running??

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
    :OTL
    
    :Reg
    
    :Files
    C:\Documents and Settings\user\Desktop\ComboFix.exe
    C:\Documents and Settings\user\Desktop\tghixdie.exe
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\All Users\Application Data\N1\N1.cab
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-3927db7b
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\38\7a1f7ba6-443e4a69
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\50\28841372-6a121f25
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\59\49784c7b-6f5a04c2
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\8\4c324188-73cb3b97
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1381299023222515781.tmp
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1783048471217430908.tmp
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache2039173355639884936.tmp
    C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache5019832304850413377.tmp
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • 0

#22
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The virus stopped giving me popups! :) Another problem I had was that when I try to search up something on google it would take me to a different site, but it looks like it stopped. Whatever you're telling me to do it's working. :)

OTL Fix Scan:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\user\Desktop\ComboFix.exe moved successfully.
C:\Documents and Settings\user\Desktop\tghixdie.exe moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\All Users\Application Data\N1\N1.cab moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-3927db7b moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\38\7a1f7ba6-443e4a69 moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\50\28841372-6a121f25 moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\59\49784c7b-6f5a04c2 moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\8\4c324188-73cb3b97 moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1381299023222515781.tmp moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1783048471217430908.tmp moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache2039173355639884936.tmp moved successfully.
C:\Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache5019832304850413377.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 3395 bytes
->Temporary Internet Files folder emptied: 103868428 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1904 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 790 bytes

Total Files Cleaned = 99.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 07012010_193015

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#23
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Things aren't working on the way I was hoping with ComboFix, so it looks like we are going to have to do things a little differently then normally.

Lets do a new scan with OTL as well as GMER.

OTL Custom Scan
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Extra Registry select Use Safe List
  • Under Custom Scan paste this in


    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.


NEXT:



Scanning with GMER

Please Note: If you already have GMER downloaded, then you can skip the instructions for downloading it again. :)

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that is produced after running the OTL Custom Scan. (OTL.txt & Extras.txt)
3. The log that is produced after running the new GMER scan.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
  • 0

#24
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
1. Aww, I thought it was done already :)

2. OTL Scan:

OTL logfile created on: 7/1/2010 7:53:45 PM - Run 3
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 710.00 Mb Available Physical Memory | 70.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 92.96 Gb Total Space | 73.29 Gb Free Space | 78.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\user\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
PRC - c:\Toshiba\IVP\swupdate\swupdtmr.exe ()
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
PRC - C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\user\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)


========== Win32 Services (SafeList) ==========

SRV - (TAPPSRV) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
SRV - (Swupdtmr) -- c:\Toshiba\IVP\swupdate\swupdtmr.exe ()
SRV - (CFSvcs) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)
SRV - (S24EventMonitor) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (EvtEng) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (RegSrvc) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (DVD-RAM_Service) -- C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe (America Online, Inc.)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (ASCTRM) -- C:\WINDOWS\system32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\TosRfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\TosRfhid.sys (TOSHIBA Corporation.)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (meiudf) -- C:\WINDOWS\system32\drivers\meiudf.sys (Matsushita Electric Industrial Co.,Ltd.)
DRV - (tfsnudfa) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (tfsnudf) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnifs) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsncofs) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsnboio) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsnopio) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsndrct) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (tosrfec) -- C:\WINDOWS\system32\drivers\Tosrfec.sys (TOSHIBA Corporation)
DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (sscdbhk5) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (Tvs) -- C:\WINDOWS\system32\drivers\Tvs.sys (TOSHIBA Corporation)
DRV - (drvmcdb) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (tosporte) -- C:\WINDOWS\system32\drivers\Tosporte.sys (TOSHIBA Corporation)
DRV - (TVALD) -- C:\WINDOWS\system32\drivers\NBSMI.sys (Toshiba Corporation)
DRV - (KR10N) -- C:\WINDOWS\system32\drivers\KR10N.sys (TOSHIBA CORPORATION)
DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (TosRfSnd) Bluetooth Audio Device (WDM) -- C:\WINDOWS\system32\drivers\TosRfSnd.sys (TOSHIBA Corporation)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMSC)
DRV - (Pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (TBiosDrv) -- C:\WINDOWS\system32\drivers\tbiosdrv.sys ()
DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)
DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (toshidpt) -- C:\WINDOWS\system32\drivers\Toshidpt.sys (TOSHIBA Corporation.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{F4B08CE9-ACDC-494B-B343-DD1616D6DC36}: C:\Documents and Settings\user\Local Settings\Application Data\{F4B08CE9-ACDC-494B-B343-DD1616D6DC36} [2010/06/19 19:21:19 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1268548947030 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} https://www.battlefi...er_4.0.53.0.cab (Battlefield Heroes Updater)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/28 13:12:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/07/28 13:11:26 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/07/01 18:17:54 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/07/01 17:48:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/01 17:48:24 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/01 17:45:02 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam-setup-1.46.exe
[2010/07/01 16:13:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/01 15:44:30 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\user\Desktop\tdsskiller.exe
[2010/06/30 19:24:50 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/06/29 20:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2010/06/29 20:02:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/29 20:02:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/29 19:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/29 19:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/29 19:12:56 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/06/26 17:42:16 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/24 14:43:06 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/06/24 14:43:06 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/06/23 23:39:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Tracing
[2010/06/23 23:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/06/23 23:34:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2010/06/19 19:21:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\{F4B08CE9-ACDC-494B-B343-DD1616D6DC36}
[2010/06/10 17:43:12 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/06 14:02:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/06/06 13:02:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/06/06 12:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Google
[2010/06/06 12:57:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Temp
[2010/06/06 12:57:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/06/04 08:32:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\gegl-0.0
[2010/06/02 22:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\Battlefield Heroes
[2005/07/28 13:39:18 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

========== Files - Modified Within 30 Days ==========

[2010/07/01 19:31:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/01 19:31:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/01 19:31:18 | 1064,812,544 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/01 19:30:35 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\user\NTUSER.DAT
[2010/07/01 19:30:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2010/07/01 17:54:40 | 004,317,060 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2010/07/01 17:48:27 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/01 17:45:02 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam-setup-1.46.exe
[2010/07/01 17:28:10 | 000,010,848 | ---- | M] () -- C:\Documents and Settings\user\My Documents\otl fix scan 2.docx
[2010/07/01 17:11:43 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1CCF0082-0FA7-4618-BF3D-2441D03856B1}.job
[2010/07/01 17:08:09 | 000,011,878 | ---- | M] () -- C:\Documents and Settings\user\My Documents\otl fix scan.docx
[2010/07/01 17:07:31 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Word.lnk
[2010/07/01 15:50:41 | 000,528,020 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/01 15:50:41 | 000,445,938 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/01 15:50:41 | 000,072,978 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/01 15:44:30 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\user\Desktop\tdsskiller.exe
[2010/07/01 02:21:37 | 000,029,895 | ---- | M] () -- C:\Documents and Settings\user\My Documents\antimalware reply.docx
[2010/06/30 19:24:53 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/06/26 17:41:16 | 000,073,224 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/25 21:20:05 | 000,280,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/25 18:26:56 | 000,000,681 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/18 21:41:52 | 000,039,819 | ---- | M] () -- C:\Documents and Settings\user\.recently-used.xbel
[2010/06/11 00:55:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 00:43:38 | 000,000,118 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/06/10 13:35:50 | 000,138,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/06/10 13:35:22 | 000,215,016 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2010/06/08 01:53:19 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/02 22:01:38 | 000,138,056 | ---- | M] () -- C:\Documents and Settings\user\Application Data\PnkBstrK.sys
[2010/06/02 22:01:15 | 002,427,248 | ---- | M] () -- C:\WINDOWS\System32\pbsvc_heroes.exe
[2010/06/02 18:25:10 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/06/02 18:25:10 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

========== Files Created - No Company Name ==========

[2010/07/01 17:48:27 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/01 17:34:26 | 1064,812,544 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/01 17:28:09 | 000,010,848 | ---- | C] () -- C:\Documents and Settings\user\My Documents\otl fix scan 2.docx
[2010/07/01 17:08:08 | 000,011,878 | ---- | C] () -- C:\Documents and Settings\user\My Documents\otl fix scan.docx
[2010/07/01 02:21:37 | 000,029,895 | ---- | C] () -- C:\Documents and Settings\user\My Documents\antimalware reply.docx
[2010/06/18 21:41:52 | 000,039,819 | ---- | C] () -- C:\Documents and Settings\user\.recently-used.xbel
[2010/06/11 00:43:38 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/06/02 18:25:10 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/06/02 18:25:10 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/05/31 12:18:45 | 000,138,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/05/18 20:34:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2010/05/01 19:16:40 | 000,005,632 | R--- | C] () -- C:\WINDOWS\System32\CNMVSya.DLL
[2010/05/01 19:16:18 | 000,000,356 | R--- | C] () -- C:\WINDOWS\System32\CNCASv50.ini
[2010/05/01 19:15:58 | 000,000,462 | R--- | C] () -- C:\WINDOWS\System32\CNCMP50.INI
[2010/04/26 19:34:14 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/04/26 19:34:14 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/04/26 19:34:12 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/04/26 19:34:12 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/04/26 19:34:10 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/04/26 19:34:10 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/04/26 18:38:04 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/13 22:58:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/08 11:53:05 | 000,034,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\WOWXT_kern_i386.sys
[2005/08/08 11:53:05 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2005/08/08 11:47:49 | 000,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2005/07/28 14:17:57 | 000,000,228 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/28 14:16:21 | 000,000,172 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2005/07/28 14:15:03 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/07/28 14:15:03 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/07/28 14:15:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/07/28 14:15:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/07/28 14:15:03 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/07/28 14:15:03 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/07/28 14:13:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2005/07/28 14:12:59 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\MousePage.dll
[2005/07/28 13:55:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2005/07/28 13:44:46 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2005/07/28 13:44:46 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2005/07/28 13:44:46 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2005/07/28 13:44:46 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2005/07/28 13:40:24 | 000,006,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/07/28 13:39:18 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2005/07/28 13:19:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/07/28 13:08:47 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/07/28 11:50:53 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/06/30 13:15:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/12/02 15:20:12 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2004/09/22 10:09:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/12 09:44:10 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\iwca.dll
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/07/29 15:33:26 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\TosHidAPI.dll

========== LOP Check ==========

[2010/05/22 14:27:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2005/07/28 14:21:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/03/15 15:01:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2010/05/01 19:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Canon
[2010/06/25 23:24:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\gtk-2.0
[2005/07/28 14:14:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\InterTrust
[2010/03/21 13:44:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\toshiba
[2010/07/01 17:11:43 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1CCF0082-0FA7-4618-BF3D-2441D03856B1}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/07/28 13:12:01 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/03/14 01:16:33 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2005/07/28 13:12:01 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/07/01 19:31:18 | 1064,812,544 | -HS- | M] () -- C:\hiberfil.sys
[2005/07/28 13:12:01 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2005/07/28 14:22:00 | 000,000,895 | -H-- | M] () -- C:\IPH.PH
[2005/07/28 13:12:01 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/03/14 01:04:23 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/01 19:31:17 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2010/06/30 16:37:47 | 000,000,587 | ---- | M] () -- C:\rkill.log
[2010/03/13 23:38:13 | 000,000,516 | ---- | M] () -- C:\Settings.ini
[2010/07/01 15:44:50 | 000,040,658 | ---- | M] () -- C:\TDSSKiller.2.3.2.2_01.07.2010_15.44.40_log.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2002/09/29 13:00:00 | 000,013,824 | R--- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPDya.DLL
[2002/09/29 13:00:00 | 000,046,080 | R--- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPPya.DLL
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 19:58:12 | 000,030,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/07/28 06:03:13 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/07/28 06:03:13 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/07/28 06:03:13 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/13 17:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/13 17:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/13 17:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-27 04:58:05
< End of report >



Extras:

OTL Extras logfile created on: 7/1/2010 7:53:45 PM - Run 3
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 710.00 Mb Available Physical Memory | 70.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 92.96 Gb Total Space | 73.29 Gb Free Space | 78.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine -- (Yahoo!)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{4669544E-20E4-4E56-8B44-2E6E1200051F}" = Canon MP Toolbox 4.1
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format
"{58F8C6D9-5B55-486A-A322-4E8D87670031}" = Canon MP Drivers
"{5D96E2B1-D9AC-46E0-9073-425C5F63E338}" = Touch and Launch
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility
"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities
"{7ED0C3C2-6A3B-4FD1-97C8-20613D7D9ACF}" = TIxx21/x515
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{97D8751D-18A4-482B-9E9C-31DAD9BEC1EC}" = MyConnect Special Offer
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{BA561482-C49D-4687-A61C-96236C1688F0}" = ArcSoft Software Suite
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = SD Secure Module
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{DB0BB9FA-1B60-4036-8E29-3D56D8085256}" = WOT for Internet Explorer
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}" = SMSC IrCC V5.1.3600.5 SP2
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"America Online us" = America Online (Choose which version to remove)
"Antispyware Soft Pro" = Antispyware Soft Pro
"AOL Connectivity Services" = AOL Connectivity Services
"AOL Spyware Protection" = AOL Spyware Protection
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"AT&T Connection Services Software" = AT&T Connection Services Manager
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{7ED0C3C2-6A3B-4FD1-97C8-20613D7D9ACF}" = Texas Instruments PCIxx21/x515 drivers.
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.9.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaInfo" = MediaInfo 0.7.31
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Notebook_Maximizer" = Notebook Maximizer
"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool
"Port Magic" = Pure Networks Port Magic
"Power Saver" = TOSHIBA Power Saver
"ProInst" = Intel® PROSet/Wireless Software
"PROPLUS" = Microsoft Office Professional Plus 2007
"PunkBusterSvc" = PunkBuster Services
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Toshiba Q4 Retail Demo.scr" = Toshiba Q4 Retail Demo ScreenSaver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WMFDist11" = Windows Media Format 11 runtime
"Yahoo! Music Engine" = Yahoo! Music Engine

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for user
"{6B34251B-AB68-4b47-AA5E-09B50EFE41A0}" = Battlefield Heroes (PTE) (user)
"{8DC910CD-8EE3-4ffc-A4EB-9B02701059C4}" = Battlefield Heroes (user)
"UnityWebPlayer" = Unity Web Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.6.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/1/2010 7:28:06 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application combofix.exe, version 0.0.0.0, faulting module
combofix.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 7:48:52 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025b19.

Error - 7/1/2010 7:50:23 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 7:52:54 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 7:56:28 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 8:28:14 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 8:28:17 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application combofix.exe, version 0.0.0.0, faulting module
combofix.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 8:33:16 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application tghixdie.exe, version 0.0.0.0, faulting module
tghixdie.exe, version 0.0.0.0, fault address 0x00025a7a.

Error - 7/1/2010 8:33:23 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application combofix.exe, version 0.0.0.0, faulting module
combofix.exe, version 0.0.0.0, fault address 0x00025a9b.

Error - 7/1/2010 9:02:57 PM | Computer Name = TOSHIBA-USER | Source = Application Error | ID = 1000
Description = Faulting application combofix.exe, version 0.0.0.0, faulting module
combofix.exe, version 0.0.0.0, fault address 0x00025a9b.

[ System Events ]
Error - 7/1/2010 10:55:34 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:55:41 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:55:49 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:55:56 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:04 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:11 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:19 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:26 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:34 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding

Error - 7/1/2010 10:56:41 PM | Computer Name = TOSHIBA-USER | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {4BEE36D7-DF28-49C1-8B85-1F3AED830E66}.
The
error: "%2" Happened while starting this command: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
-Embedding


< End of report >



3. GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-01 21:29:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pwliyfob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Cdfs \Cdfs A867C400

---- EOF - GMER 1.0.15 ----



4. I don't really see any signs of the virus :)
  • 0

#25
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Your logs are looking pretty good. I just want to do a few more scans to ensure we've gotten it all. I like to era on the side of caution :).


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
    :OTL
    O4 - HKCU..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe File not found
    [2010/07/01 17:45:02 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam-setup-1.46.exe
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Java Outdated
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note:
The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.


NEXT



Clean Java Cache & Temporary Files
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT:



Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.


NEXT:



Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

Advertisements


#26
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
1. Well that took a while :)

2. OTL Log:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\msnmsgr deleted successfully.
C:\Documents and Settings\user\Desktop\mbam-setup-1.46.exe moved successfully.
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 55244430 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1020 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 578291 bytes

Total Files Cleaned = 53.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.7.0 log created on 07012010_215506

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



3. JavaRa Log:

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jul 01 22:12:22 2010

Found and removed: Software\JavaSoft\Java2D\1.5.0_02

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

------------------------------------

Finished reporting.




4. Kas Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, July 2, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, July 02, 2010 03:41:23
Records in database: 4259880
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 90166
Threats found: 20
Infected objects found: 41
Suspicious objects found: 0
Scan duration: 01:57:12


File name / Threat / Threats count
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Application Data\2d51d823.exe Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Application Data\FB8A85D1430B61387E4ACB006F2BBDB5\070700Setup.exe Infected: Trojan.Win32.FakeAV.wz 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Application Data\7306416.exe Infected: Trojan-Ransom.Win32.DigiPog.sv 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Application Data\7306417.exe Infected: Trojan-Downloader.Win32.Mufanom.uuz 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\kgxn2.exe Infected: Trojan-Ransom.Win32.XBlocker.aoz 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\Llr.exe Infected: Packed.Win32.Katusha.n 1
C:\_OTL\MovedFiles\07012010_161345\C_Documents and Settings\user\Local Settings\Temp\mdm.exe Infected: Trojan-Ransom.Win32.XBlocker.aou 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\crvi32.dll Infected: Trojan-Downloader.Win32.Mufanom.vjn 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\Ldurua.exe Infected: Packed.Win32.Katusha.n 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\ckftt.dll Infected: Trojan.Win32.BHO.ahuh 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\d7b1z1.dll Infected: Trojan-Ransom.Win32.XBlocker.apa 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\ernel32.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\gkftt.dll Infected: not-a-virus:AdWare.Win32.BHO.mkr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\31e9aAA9.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\31uOC17u.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\3e79k179.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\55q5w.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\A317s31s9.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\eIQ317.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\spool\prtprocs\w32x86\w1uOCEIQ.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_161345\C_WINDOWS\system32\tkftt.exe Infected: Trojan-Downloader.Win32.Agent.dwst 1
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\317iQ17c.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\5cEIQ.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_172631\C_WINDOWS\system32\spool\prtprocs\w32x86\sK55g.dll Infected: Backdoor.Win32.TDSS.tr 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\All Users\Application Data\N1\N1.cab Infected: not-a-virus:FraudTool.Win32.SecurityCenter.aw 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\34\48d6abe2-3927db7b Infected: Trojan-Downloader.Java.Agent.al 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\38\7a1f7ba6-443e4a69 Infected: Exploit.Java.Agent.f 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\38\7a1f7ba6-443e4a69 Infected: Trojan-Downloader.Java.Agent.ay 2
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\50\28841372-6a121f25 Infected: Exploit.OSX.Smid.c 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\59\49784c7b-6f5a04c2 Infected: Exploit.Java.Agent.f 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\59\49784c7b-6f5a04c2 Infected: Trojan-Downloader.Java.Agent.ay 2
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Application Data\Sun\Java\Deployment\cache\6.0\8\4c324188-73cb3b97 Infected: Trojan-Downloader.Java.Agent.aw 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1381299023222515781.tmp Infected: Trojan-Downloader.Java.Agent.ah 2
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache1783048471217430908.tmp Infected: Exploit.OSX.Smid.b 1
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache2039173355639884936.tmp Infected: Trojan-Downloader.Java.Agent.ah 2
C:\_OTL\MovedFiles\07012010_193015\C_Documents and Settings\user\Desktop\Backup Toshiba\Documents and Settings\AZIYEL MADRIGAL\Local Settings\Temp\jar_cache5019832304850413377.tmp Infected: Trojan-Downloader.Java.Agent.ah 2

Selected area has been scanned.


5. Security Check Log:

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 20
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent

````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

Edited by ohserio, 02 July 2010 - 02:02 AM.

  • 0

#27
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
ohserio,

I must apoligize to you, somehow it seems that I overlooked your response to this thread, and am only now seeing your response to the thread.

I am reviewing your latest logs right now, and will be back with instructions for you to complete shortly.

Cheers,
ST.
  • 0

#28
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Your logs appear to be clean. We just need to clean-up after ourselves and remove the tools we used as well as create a new system restore point. You will also find my All Clean speech below.

If you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



NEXT:



OTL Clean-Up
Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.



NEXT:



Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.



NEXT:



All Clean Speech

==> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <==

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
  • 0

#29
ohserio

ohserio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you soooo much :) My computer looks like it's back to normal.
You're offically part of my family.

No, I'm playing
:)
  • 0

#30
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
You are more than welcome.

This made me chuckle:

You're offically part of my family.


I'm truly glad that I was able to be of assistance to you. Please take care and stay safe and clean on the internet.

Cheers,
SweetTech.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP