Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Vista Recovery rogue software


  • This topic is locked This topic is locked

#1
Daclivont

Daclivont

    Member

  • Member
  • PipPip
  • 85 posts
My wife's laptop got infected with Windows Vista Recovery rogue software last night.

It's redirection google results on anything that removes malware, marking all files and folders as hidden, telling me the HD and RAM are bad and all those fun things.

I tried solving it myself but to no avail. :)

I also tried fallowing the guides found through google with no luck.

OTL log is attached

Any help would be much appreciated.

Attached Files

  • Attached File  OTL.Txt   69.02KB   130 downloads

  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello Daclivont and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed
Step 1

We need to disable malware processes on your system first
  • Download TheKiller to your Desktop
  • Note that TheKiller is renamed as explorer.exe
  • Run it by double click
  • Press OK button after program finish
  • Do not restart your system after this step
NOTE: If malware blocks TheKiller from running please try to run it several more times

Step 2

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\Run: [TwqRRPxAJIrVIbB] C:\ProgramData\TwqRRPxAJIrVIbB.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Lovyna\AppData\Roaming\1.gif
    [2011/06/04 13:16:46 | 000,333,824 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\31842040.exe
    [2011/06/04 13:21:09 | 001,431,344 | -H-- | C] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\gjfd.exe
    [2011/06/04 11:46:38 | 001,431,344 | -H-- | C] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\iexplore.exe.exe
    [2011/06/04 11:19:43 | 000,000,000 | -H-D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\m
    [2011/06/04 11:19:38 | 000,000,000 | -H-D | C] -- C:\Program Files\m
    [2011/06/04 00:40:32 | 000,000,000 | -H-D | C] -- C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery
    [2011/06/04 00:29:36 | 000,419,328 | -H-- | C] (Microsoft Corporation) -- C:\ProgramData\TwqRRPxAJIrVIbB.exe
    [2011/05/23 16:56:18 | 000,000,000 | -H-D | C] -- C:\Users\Lovyna\AppData\Roaming\5015
    [2011/05/23 16:42:42 | 000,000,000 | -H-D | C] -- C:\ProgramData\cB06511GpIiP06511
    [2011/06/04 13:17:10 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~31842040r
    [2011/06/04 13:17:10 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~31842040
    [2011/06/04 13:16:52 | 000,000,336 | -H-- | M] () -- C:\ProgramData\31842040
    [2011/06/04 12:16:00 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~31252216
    [2011/06/04 12:04:37 | 000,000,152 | -H-- | M] () -- C:\ProgramData\~31252216r
    [2011/06/04 11:37:00 | 000,000,336 | -H-- | M] () -- C:\ProgramData\31252216
    [2011/06/04 00:58:56 | 000,000,136 | -H-- | M] () -- C:\ProgramData\~30924536r
    [2011/06/04 00:58:56 | 000,000,128 | -H-- | M] () -- C:\ProgramData\~30924536
    [2011/06/04 00:40:32 | 000,000,606 | -H-- | M] () -- C:\Users\Lovyna\Desktop\Windows Vista Recovery.lnk
    [2011/06/04 00:40:07 | 000,000,336 | -H-- | M] () -- C:\ProgramData\30924536
    [2011/05/25 07:10:16 | 001,431,344 | -H-- | M] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\iexplore.exe.exe
    [2011/05/25 07:10:16 | 001,431,344 | -H-- | M] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\gjfd.exe


    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • Malwarebytes log
It would be helpful if you could post each log in separate post
  • 0

#3
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
I can't get Malwarbytes to update. I get an error that says "An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING (5, 0, CreateFile) Access is denied.

But here's the otl log.





========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\TwqRRPxAJIrVIbB deleted successfully.
C:\ProgramData\TwqRRPxAJIrVIbB.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\\WallPaper deleted successfully.
C:\Users\Lovyna\AppData\Roaming\1.gif moved successfully.
C:\ProgramData\31842040.exe moved successfully.
C:\Users\Lovyna\Desktop\gjfd.exe moved successfully.
C:\Users\Lovyna\Desktop\iexplore.exe.exe moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\m folder moved successfully.
C:\Program Files\m\Languages folder moved successfully.
C:\Program Files\m folder moved successfully.
C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery folder moved successfully.
File C:\ProgramData\TwqRRPxAJIrVIbB.exe not found.
C:\Users\Lovyna\AppData\Roaming\5015\components folder moved successfully.
C:\Users\Lovyna\AppData\Roaming\5015 folder moved successfully.
Folder C:\ProgramData\cB06511GpIiP06511\ not found.
C:\ProgramData\~31842040r moved successfully.
C:\ProgramData\~31842040 moved successfully.
C:\ProgramData\31842040 moved successfully.
C:\ProgramData\~31252216 moved successfully.
C:\ProgramData\~31252216r moved successfully.
C:\ProgramData\31252216 moved successfully.
C:\ProgramData\~30924536r moved successfully.
C:\ProgramData\~30924536 moved successfully.
C:\Users\Lovyna\Desktop\Windows Vista Recovery.lnk moved successfully.
C:\ProgramData\30924536 moved successfully.
File C:\Users\Lovyna\Desktop\iexplore.exe.exe not found.
File C:\Users\Lovyna\Desktop\gjfd.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.23.0 log created on 06052011_162907
  • 0

#4
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
I reinstalled malwarebytes and got it updated

Here's the log for it:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6779

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/5/2011 5:47:53 PM
mbam-log-2011-06-05 (17-47-53).txt

Scan type: Quick scan
Objects scanned: 174217
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Lovyna\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Edited by Daclivont, 05 June 2011 - 04:49 PM.

  • 0

#5
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Daclivont,

How is your system now? Problems?
  • 0

#6
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
It's still redirecting google results and some files and folders are still hidden.
  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
In that case let's continue :)

Step 1

Download Unhide.exe from here to your desktop and run ti. It should unhide all your files.

Step 2

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 4

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 5

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
  • New OTL scan log
It would be helpful if you could post each log in separate post
  • 0

#8
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
tdsskiller refuses to run.

no warnings, errors or anything. It just does nothing.
  • 0

#9
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Try other two steps. We will see what is going on.
  • 0

#10
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
aswMBR log:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-06 16:10:44
-----------------------------
16:10:44.811 OS Version: Windows 6.0.6002 Service Pack 2
16:10:44.811 Number of processors: 2 586 0x6802
16:10:44.811 ComputerName: LOVYNA-PC UserName: Lovyna
16:11:12.329 Initialize success
16:11:26.853 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:11:26.853 Disk 0 Vendor: Hitachi_HTS542520K9SA00 BBDOC33P Size: 190782MB BusType: 3
16:11:28.928 Disk 0 MBR read successfully
16:11:28.928 Disk 0 MBR scan
16:11:28.943 Disk 0 unknown MBR code
16:11:30.956 Disk 0 scanning sectors +390721536
16:11:31.034 Disk 0 scanning C:\Windows\system32\drivers
16:11:39.739 Service scanning
16:11:42.016 Disk 0 trace - called modules:
16:11:42.016 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85fd91ed]<<
16:11:42.016 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853719d0]
16:11:42.032 3 CLASSPNP.SYS[82b138b3] -> nt!IofCallDriver -> [0x85351bc0]
16:11:42.032 5 acpi.sys[806086bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85351030]
16:11:42.047 \Driver\atapi[0x84899d40] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x85fd91ed
16:11:42.047 Scan finished successfully
16:12:48.301 Disk 0 MBR has been saved successfully to "C:\Users\Lovyna\Desktop\MBR.dat"
16:12:48.316 The log file has been saved successfully to "C:\Users\Lovyna\Desktop\aswMBR.txt"
  • 0

Advertisements


#11
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
OTL:

OTL logfile created on: 6/6/2011 4:13:34 PM - Run 2
OTL by OldTimer - Version 3.2.23.0 Folder = E:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.76 Gb Available Physical Memory | 61.36% Memory free
5.95 Gb Paging File | 4.88 Gb Available in Paging File | 82.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 138.56 Gb Free Space | 74.96% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.33 Gb Free Space | 89.26% Space Free | Partition Type: FAT32

Computer Name: LOVYNA-PC | User Name: Lovyna | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/05 16:27:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2011/05/25 17:29:54 | 001,951,112 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
PRC - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2011/05/01 23:02:44 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2011/01/01 10:57:54 | 000,110,352 | ---- | M] (www.motioninjoy.com) -- C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe
PRC - [2009/04/11 01:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/02/14 14:08:30 | 000,184,320 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
PRC - [2008/01/29 21:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/29 19:00:40 | 000,430,080 | ---- | M] () -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2008/01/22 17:25:26 | 000,712,704 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2008/01/22 14:00:30 | 004,624,384 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PRC - [2008/01/21 19:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/01/20 21:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/17 19:27:52 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2008/01/17 19:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2008/01/09 17:02:08 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2007/12/25 16:06:52 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2007/12/13 22:52:00 | 000,143,360 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
PRC - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/10/25 20:41:18 | 000,413,696 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2007/09/28 19:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/06/16 00:01:58 | 000,448,080 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2011/06/05 16:27:38 | 000,580,096 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2008/01/21 19:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 19:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 20:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 03:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/28 19:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/09/24 20:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/01/01 10:12:18 | 000,081,168 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
DRV - [2010/02/11 02:42:22 | 004,450,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/04/11 00:06:26 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2009/03/18 17:35:40 | 000,026,176 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/01/25 19:24:56 | 000,764,416 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/21 18:42:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/12/28 22:21:54 | 000,104,448 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/12/17 14:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/10/02 14:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/08/31 20:43:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2007/06/29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/03/22 01:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 17:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 19:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 01:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/10/30 13:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/10 22:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte)
DRV - [2005/08/17 08:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.sbuniv.ed...ySBU/index.htm"
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.81
FF - prefs.js..extensions.enabledItems: {37fa1426-b82d-11db-8314-0800200c9a66}:2.7.5
FF - prefs.js..extensions.enabledItems: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}:2.7.1
FF - prefs.js..extensions.enabledItems: {B742AE5D-19CB-777A-B8D6-901079696A93}:1.7
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..extensions.enabledItems: {4176DFF4-4698-11DE-BEEB-45DA55D89593}:0.8.7
FF - prefs.js..extensions.enabledItems: [email protected]:0.9.8.0
FF - prefs.js..extensions.enabledItems: showmemore@suskind:1.3
FF - prefs.js..extensions.enabledItems: [email protected]:3.0.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HKLM\software\mozilla\Firefox\Extensions\\{184AA5E6-741D-464a-820E-94B3ABC2F3B4}: C:\Users\Lovyna\AppData\Roaming\5015
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 23:02:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 15:56:58 | 000,000,000 | ---D | M]

[2011/01/15 14:51:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Extensions
[2011/06/05 11:32:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions
[2011/01/20 12:32:49 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/05 11:32:34 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2011/01/15 16:00:52 | 000,000,000 | ---D | M] (CouponFollow) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\{B742AE5D-19CB-777A-B8D6-901079696A93}
[2011/03/26 11:50:26 | 000,000,000 | ---D | M] (FoxLingo) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
[2011/02/14 20:54:29 | 000,000,000 | ---D | M] (Autofill Forms) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\[email protected]
[2011/01/15 20:06:10 | 000,000,000 | ---D | M] (Show Me More) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\extensions\showmemore@suskind
[2011/03/23 15:56:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/14 19:51:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2KMVAEQN.DEFAULT\EXTENSIONS\{4176DFF4-4698-11DE-BEEB-45DA55D89593}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2KMVAEQN.DEFAULT\EXTENSIONS\{A0D7CCB3-214D-498B-B4AA-0E8FDA9A7BF7}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2KMVAEQN.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2KMVAEQN.DEFAULT\EXTENSIONS\[email protected]
[2011/05/01 23:02:43 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/02/14 19:51:02 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/06/04 13:12:39 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AMD_Display] File not found
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [PCMAgent] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe (www.motioninjoy.com)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe ()
O4 - Startup: C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O20 - HKLM Winlogon: Shell - (explorer.exe) - explorer.exe (maliprog @ Geekstogo)
O24 - Desktop BackupWallPaper: C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/06 16:10:04 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Users\Lovyna\Desktop\aswMBR.exe
[2011/06/06 13:07:50 | 001,431,344 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\tdsskiller.exe
[2011/06/05 17:43:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/05 17:43:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/05 17:43:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/04 13:20:29 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\GooredFix Backups
[2011/06/04 12:11:15 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/05/30 15:01:54 | 000,026,176 | ---- | C] (LogMeIn, Inc.) -- C:\Windows\System32\hamachi.sys
[2011/05/30 15:01:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
[2011/05/30 15:01:49 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2011/05/25 17:08:10 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\3d analyzer
[2011/05/25 16:27:09 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2011/05/25 11:04:50 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Local\GamersFirst LIVE!
[2011/05/25 11:04:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GamersFirst
[2011/05/25 11:04:36 | 000,000,000 | ---D | C] -- C:\Program Files\GamersFirst
[2011/05/24 08:21:05 | 000,236,496 | ---- | C] (Adobe Systems, Incorporated) -- C:\Users\Lovyna\AppData\Roaming\AcroIEHelpe029.dll
[2011/05/23 16:56:02 | 000,000,000 | ---D | C] -- C:\xmldm
[2011/05/23 16:56:02 | 000,000,000 | ---D | C] -- C:\kock
[2011/05/23 16:55:59 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\xmldm
[2011/05/23 16:55:58 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\kock
[2011/05/23 16:42:42 | 000,000,000 | ---D | C] -- C:\ProgramData\cB06511GpIiP06511
[2011/05/22 13:44:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2011/05/22 13:44:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2011/05/22 13:44:10 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2011/05/19 15:39:55 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/05/15 16:40:27 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\Disk9.2
[2011/05/12 11:17:59 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\vlc
[2011/05/12 11:17:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2011/05/12 11:17:37 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2011/05/12 10:28:51 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\CATCHING FIRE
[2011/05/08 00:05:46 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\CyberLink
[1 C:\Users\Lovyna\AppData\Roaming\*.tmp files -> C:\Users\Lovyna\AppData\Roaming\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/06 16:14:53 | 000,611,788 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/06 16:14:53 | 000,106,796 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/06 16:12:48 | 000,000,512 | ---- | M] () -- C:\Users\Lovyna\Desktop\MBR.dat
[2011/06/06 16:10:05 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Users\Lovyna\Desktop\aswMBR.exe
[2011/06/06 16:08:05 | 000,007,268 | ---- | M] () -- C:\Users\Lovyna\AppData\Local\d3d9caps.dat
[2011/06/06 16:08:03 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/06 16:07:53 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/06 16:07:53 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/06 16:07:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/06 14:07:17 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/06 13:53:59 | 000,606,105 | ---- | M] () -- C:\Users\Lovyna\Desktop\unhide.exe
[2011/06/06 13:07:54 | 001,431,344 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Lovyna\Desktop\tdsskiller.exe
[2011/06/05 19:43:01 | 000,000,598 | ---- | M] () -- C:\Users\Public\Desktop\Malware Protection.lnk
[2011/06/05 17:43:34 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/04 13:12:39 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/06/04 12:14:50 | 137,531,273 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/04 11:36:34 | 000,000,949 | ---- | M] () -- C:\Users\Lovyna\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/04 01:02:38 | 000,000,632 | RHS- | M] () -- C:\Users\Lovyna\ntuser.pol
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/05/25 16:28:52 | 000,138,056 | ---- | M] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2011/05/25 16:28:52 | 000,138,056 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\PnkBstrK.sys
[2011/05/25 16:27:53 | 000,189,248 | ---- | M] () -- C:\Windows\System32\PnkBstrB.ex0
[2011/05/25 11:04:42 | 000,001,195 | ---- | M] () -- C:\Users\Lovyna\Desktop\APB Reloaded.lnk
[2011/05/24 08:21:46 | 000,000,036 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\urhtps.dat
[2011/05/22 14:10:19 | 000,414,672 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/05/22 12:46:14 | 000,008,746 | ---- | M] () -- C:\Users\Lovyna\Documents\cc_20110522_124610.reg
[2011/05/19 10:37:50 | 000,000,370 | ---- | M] () -- C:\Users\Lovyna\Desktop\Disk9.2 - Shortcut.lnk
[2011/05/12 11:05:06 | 000,001,332 | ---- | M] () -- C:\Windows\System32\Archive.rar
[1 C:\Users\Lovyna\AppData\Roaming\*.tmp files -> C:\Users\Lovyna\AppData\Roaming\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/06 16:12:48 | 000,000,512 | ---- | C] () -- C:\Users\Lovyna\Desktop\MBR.dat
[2011/06/06 13:55:59 | 000,000,949 | ---- | C] () -- C:\Users\Lovyna\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/06/06 13:53:59 | 000,606,105 | ---- | C] () -- C:\Users\Lovyna\Desktop\unhide.exe
[2011/06/05 19:43:01 | 000,000,598 | ---- | C] () -- C:\Users\Public\Desktop\Malware Protection.lnk
[2011/06/05 17:43:34 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/04 12:11:02 | 137,531,273 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/06/04 01:02:38 | 000,000,632 | RHS- | C] () -- C:\Users\Lovyna\ntuser.pol
[2011/05/25 17:09:07 | 000,001,195 | ---- | C] () -- C:\Users\Lovyna\Desktop\APB Reloaded.lnk
[2011/05/25 17:07:42 | 000,900,944 | ---- | C] () -- C:\Users\Lovyna\Desktop\3danalyzer-v236.exe
[2011/05/25 16:28:53 | 000,138,056 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2011/05/25 16:28:52 | 000,138,056 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PnkBstrK.sys
[2011/05/25 16:27:53 | 000,189,248 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2011/05/25 16:27:53 | 000,189,248 | ---- | C] () -- C:\Windows\System32\PnkBstrB.ex0
[2011/05/25 16:27:50 | 000,075,136 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2011/05/23 23:50:46 | 000,000,036 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\urhtps.dat
[2011/05/22 12:46:12 | 000,008,746 | ---- | C] () -- C:\Users\Lovyna\Documents\cc_20110522_124610.reg
[2011/05/19 10:37:50 | 000,000,370 | ---- | C] () -- C:\Users\Lovyna\Desktop\Disk9.2 - Shortcut.lnk
[2011/05/12 11:05:06 | 000,001,332 | ---- | C] () -- C:\Windows\System32\Archive.rar
[2011/05/12 10:28:32 | 000,000,044 | ---- | C] () -- C:\Users\Lovyna\Desktop\Track01.cda
[2011/04/23 08:13:15 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/01/19 13:40:07 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/19 13:40:07 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/19 13:39:09 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/01/15 21:09:49 | 000,007,268 | ---- | C] () -- C:\Users\Lovyna\AppData\Local\d3d9caps.dat
[2011/01/15 15:48:19 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2011/01/15 15:48:19 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2011/01/15 15:48:19 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2011/01/15 15:48:19 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2011/01/15 15:35:02 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/01/15 15:35:02 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/01/15 15:13:00 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2011/01/15 14:51:17 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/01/15 14:23:30 | 000,000,016 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2009/04/23 17:29:16 | 000,189,051 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2008/12/09 10:23:13 | 000,048,352 | RHS- | C] () -- C:\Users\Lovyna\AppData\Roaming\appconf32.exe
[2008/02/13 01:34:21 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/13 01:00:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/13 01:00:09 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/13 01:00:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/13 01:00:09 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/02/13 00:38:47 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC1.dat
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC0.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/02/13 00:12:13 | 000,157,040 | ---- | C] () -- C:\Windows\fdbpinger.exe
[2008/01/28 21:01:42 | 000,057,344 | ---- | C] () -- C:\Windows\System32\SmartFaceVCapt.dll
[2008/01/28 21:01:06 | 000,471,040 | ---- | C] () -- C:\Windows\System32\SmartFaceVCP.dll
[2008/01/28 20:53:02 | 006,701,056 | ---- | C] () -- C:\Windows\System32\FaceHI.dll
[2008/01/28 20:53:02 | 000,995,328 | ---- | C] () -- C:\Windows\System32\FaceRec.dll
[2008/01/28 20:53:02 | 000,126,976 | ---- | C] () -- C:\Windows\System32\SmartFaceVCtrl.dll
[2008/01/28 20:52:28 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IppLib.dll
[2007/12/21 19:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,414,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,611,788 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,106,796 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/23 00:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2011/05/02 22:56:47 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\.minecraft
[2011/03/11 20:43:44 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\DragonicaSCB
[2011/04/21 23:37:36 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\IObit
[2011/05/23 16:55:58 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\kock
[2011/04/26 17:14:38 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\MotioninJoy
[2011/03/13 19:02:37 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\OpenOffice.org
[2011/01/15 14:39:54 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\WinBatch
[2011/06/04 13:10:44 | 000,000,000 | ---D | M] -- C:\Users\Lovyna\AppData\Roaming\xmldm
[2011/06/06 14:33:43 | 000,032,620 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Edited by Daclivont, 06 June 2011 - 03:17 PM.

  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Daclivont

Step 1

Does this PC have Recovery partition on disk? Usually some brand name PCs like HP or DELL has one.

Step 2

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/05/23 16:55:59 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\xmldm
    [2011/05/23 16:55:58 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\kock
    [2011/05/23 16:42:42 | 000,000,000 | ---D | C] -- C:\ProgramData\cB06511GpIiP06511
    [2011/05/24 08:21:46 | 000,000,036 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\urhtps.dat
    [2011/01/15 15:13:00 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
    [2011/01/15 14:23:30 | 000,000,016 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys


    :Files
    C:\ProgramData\cB06511GpIiP06511
    C:\Users\Lovyna\AppData\Roaming\urhtps.dat
    C:\Windows\System32\drivers\taishop.sys
    C:\Windows\System32\drivers\fbd.sys

    :Commands
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles
Step 3


Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 4

Try to run TDSSKiller now and post results.

Step 5

Please don't forget to include these items in your reply:

  • OTL fix log
  • Combofix log
  • TDSSKiller log
It would be helpful if you could post each log in separate post
  • 0

#13
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
We have the recovery cd that came with it.
  • 0

#14
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
OTL:

========== OTL ==========
C:\Users\Lovyna\AppData\Roaming\xmldm folder moved successfully.
C:\Users\Lovyna\AppData\Roaming\kock folder moved successfully.
Folder C:\ProgramData\cB06511GpIiP06511\ not found.
C:\Users\Lovyna\AppData\Roaming\urhtps.dat moved successfully.
C:\Windows\System32\drivers\taishop.sys moved successfully.
C:\Windows\System32\drivers\fbd.sys moved successfully.
========== FILES ==========
C:\ProgramData\cB06511GpIiP06511 folder moved successfully.
File\Folder C:\Users\Lovyna\AppData\Roaming\urhtps.dat not found.
File\Folder C:\Windows\System32\drivers\taishop.sys not found.
File\Folder C:\Windows\System32\drivers\fbd.sys not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.23.0 log created on 06072011_004948
  • 0

#15
Daclivont

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Combofix:

ComboFix 11-06-06.03 - Lovyna 06/07/2011 1:10.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2941.2042 [GMT -5:00]
Running from: c:\users\Lovyna\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Lovyna\AppData\Roaming\AcROiehelpe029.dll
c:\users\Lovyna\AppData\Roaming\appconf32.exe
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-05 22:43 . 2011-06-05 22:43 -------- d-----w- c:\programdata\Malwarebytes
2011-06-05 22:43 . 2011-06-05 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-04 06:03 . 2011-06-04 06:04 -------- d-----w- c:\users\cxvb
2011-06-03 16:41 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F3ABECA2-C9C0-48D2-92CC-EA064288C27B}\mpengine.dll
2011-05-30 20:01 . 2009-03-18 22:35 26176 ----a-w- c:\windows\system32\hamachi.sys
2011-05-30 20:01 . 2011-05-30 20:01 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-05-27 17:27 . 2011-05-27 17:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 21:28 . 2011-05-25 21:28 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-05-25 21:28 . 2011-05-25 21:28 138056 ----a-w- c:\users\Lovyna\AppData\Roaming\PnkBstrK.sys
2011-05-25 16:04 . 2011-06-02 20:18 -------- d-----w- c:\users\Lovyna\AppData\Local\GamersFirst LIVE!
2011-05-25 16:04 . 2011-05-25 16:04 -------- d-----w- c:\program files\GamersFirst
2011-05-23 21:56 . 2011-05-23 21:56 112 ----a-w- c:\users\Lovyna\AppData\Roaming\srvblck2.tmp
2011-05-23 21:56 . 2011-05-23 21:56 -------- d-----w- C:\xmldm
2011-05-23 21:56 . 2011-05-23 21:56 -------- d-----w- C:\kock
2011-05-22 18:44 . 2011-05-22 18:44 -------- d-----w- c:\windows\system32\ca-ES
2011-05-22 18:44 . 2011-05-22 18:44 -------- d-----w- c:\windows\system32\eu-ES
2011-05-22 18:44 . 2011-05-22 18:44 -------- d-----w- c:\windows\system32\vi-VN
2011-05-22 00:41 . 2011-05-22 00:42 -------- d-----w- c:\users\Guest
2011-05-19 20:39 . 2011-05-19 20:39 -------- d-----w- c:\programdata\WindowsSearch
2011-05-12 16:17 . 2011-05-12 16:18 -------- d-----w- c:\users\Lovyna\AppData\Roaming\vlc
2011-05-12 16:17 . 2011-05-12 16:17 -------- d-----w- c:\program files\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 14:11 . 2011-01-16 03:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 02:24 . 2011-03-24 02:24 98304 ----a-r- c:\users\Lovyna\AppData\Roaming\Microsoft\Installer\{32939827-D8E5-470A-B126-870DB3C69FDF}\python_icon.exe
2011-03-10 17:03 . 2011-04-14 01:27 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-10 17:03 . 2011-04-14 01:27 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-05-02 04:02 . 2011-03-23 20:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-15 39408]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2011-01-01 110352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-18 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-02-14 184320]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-05-25 1951112]
.
c:\users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-23 135664]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2011-01-01 81168]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-05-25 1336712]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-23 03:02]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-23 03:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\2kmvaeqn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sbuniv.edu/MySBU/index.htm
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AMD_Display - (no file)
AddRemove-InstallShield_{03240EBA-04F2-4652-BC7F-B055902BDCD3} - c:\program files\InstallShield Installation Information\{03240EBA-04F2-4652-BC7F-B055902BDCD3}\setup.exe
AddRemove-InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761} - c:\program files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe
AddRemove-InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF} - c:\program files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe
AddRemove-InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B} - c:\program files\InstallShield Installation Information\{C730E42C-935A-45BB-A0C5-37E5234D111B}\setup.exe
AddRemove-InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8} - c:\program files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe
AddRemove-{12B3A009-A080-4619-9A2A-C6DB151D8D67} - c:\program files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe
AddRemove-{37C866E4-AA67-4725-9E95-A39968DD7960} - c:\program files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe
AddRemove-{6C5F3BDC-0A1B-4436-A696-5939629D5C31} - c:\program files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe
AddRemove-{8833FFB6-5B0C-4764-81AA-06DFEED9A476} - c:\program files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe
AddRemove-{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D} - c:\program files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe
AddRemove-{A644254B-92F6-4970-8635-AB0775371E72} - c:\program files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe
AddRemove-{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13} - c:\program files\InstallShield Installation Information\{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-07 01:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????rZ????h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-06-07 01:20:24
ComboFix-quarantined-files.txt 2011-06-07 06:20
.
Pre-Run: 147,768,958,976 bytes free
Post-Run: 147,759,677,440 bytes free
.
- - End Of File - - 1DD7D91F1F4D17A10DFB11B37266D038
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP