Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trouble malware on vista

Started by Daclivont , Sep 24 2011 08:51 PM

  • This topic is locked This topic is locked

#1
Daclivont
Posted 24 September 2011 - 08:51 PM

Daclivont

    Member

  • Member
  • PipPip
  • 85 posts
My wife's laptop got infected with some type of malware a little while ago and now I can't run Malwarebytes avast or surf the internet.

I found in the processes one called 884470985:906709195.exe

I managed to track it down once and delete it but it restarted the pc moments later and it was back.

It also forces Firefox and IE to use proxies that redirect to spam pages.

I tried fresh installs of Malwarebytes with changed names and it worked for about 30 seconds. :)

Here's the OTL log:


OTL logfile created on: 9/24/2011 9:45:40 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 81.82% Memory free
5.95 Gb Paging File | 5.59 Gb Available in Paging File | 94.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 107.50 Gb Free Space | 58.16% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.51 Gb Free Space | 94.05% Space Free | Partition Type: FAT32

Computer Name: LOVYNA-PC | User Name: Lovyna | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\Windows\884470985:906709195.exe
PRC - [2011/09/24 21:44:34 | 000,582,656 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2011/09/07 21:14:24 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/22 09:29:02 | 000,077,312 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
MOD - [2011/09/07 21:14:22 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2009/04/10 23:28:24 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2011/09/06 15:45:28 | 000,044,768 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/07/25 19:48:28 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/07/03 09:57:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Stopped] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/28 19:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/09/24 20:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Stopped] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2011/09/06 15:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 15:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 15:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 15:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 15:36:26 | 000,054,616 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/09/06 15:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/09/02 03:09:24 | 000,176,128 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/04/10 22:06:28 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2008/07/29 05:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/21 17:42:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/12/17 13:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/11/09 16:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/08/31 19:43:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2007/07/28 00:36:40 | 002,929,664 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/03/22 01:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 17:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 19:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/10 08:08:50 | 000,024,064 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ATITool.sys -- (ATITool)
DRV - [2006/11/09 01:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/10/30 12:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:49758

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mysbu.sbuniv...on=0&formdir=3"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53596
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/24 20:22:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/07 21:14:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/06/29 16:08:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Extensions
[2011/09/24 14:54:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions
[2011/09/03 01:18:49 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2011/09/24 14:54:26 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2011/07/08 21:24:38 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/09/07 21:14:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/07/03 08:49:49 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\[email protected]
[2011/09/01 19:13:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/01 19:13:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/09/24 20:22:50 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\{DCBD1271-D228-4082-9FBC-36D9B7660B03}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\[email protected]
[2011/07/04 03:08:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/07 21:14:24 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========


Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe ()
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [conhost] C:\Users\Lovyna\AppData\Roaming\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PCMAgent] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Microsoft Update] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe (Apple Inc.)
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\Windows\is-BV8GL.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Users\Lovyna\Desktop\dsfgkjszhgdf\Malwa\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
F3 - HKCU WinNT: Load - (C:\Users\Lovyna\AppData\Local\Temp\csrss.exe) -C:\Users\Lovyna\AppData\Local\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{662D9419-05B0-444A-B459-569214287EA8}: DhcpNameServer = 192.168.254.254
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Lovyna\AppData\Roaming\dwm.exe) -C:\Users\Lovyna\AppData\Roaming\dwm.exe ()
O24 - Desktop WallPaper: C:\Users\Lovyna\Desktop\Photos\Jenn's stuff\Sleep-With-A-Teddy-Bear.jpg
O24 - Desktop BackupWallPaper: C:\Users\Lovyna\Desktop\Photos\Jenn's stuff\Sleep-With-A-Teddy-Bear.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell - "" = AutoRun
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\directx\command - "" = E:\DirectX9\dxsetup.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\setup\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/24 21:37:23 | 000,457,728 | ---- | C] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:18:32 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\dsfgkjszhgdf
[2011/09/24 20:23:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/09/24 20:23:12 | 000,320,856 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/24 20:23:12 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/09/24 19:58:44 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/24 19:58:42 | 000,052,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/24 19:39:24 | 000,442,200 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/24 19:39:23 | 000,054,616 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/24 19:38:55 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/24 19:38:55 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/24 19:11:49 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2011/09/24 17:18:54 | 000,098,304 | ---- | C] (Apple Inc.) -- C:\ProgramData\KeyboardBackupPolicy.dll
[2011/09/12 14:51:18 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Documents\My Games
[2011/09/12 14:40:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games
[2011/09/12 14:40:16 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2011/09/12 14:05:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Elaborate Bytes
[2011/09/12 14:05:16 | 000,000,000 | ---D | C] -- C:\Program Files\Elaborate Bytes
[2011/09/08 19:02:34 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\TOSHIBA
[2011/09/07 16:52:31 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/09/01 19:21:45 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\OpenOffice.org
[2011/09/01 19:15:37 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.3
[2011/09/01 19:14:30 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2011/09/01 19:13:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/09/01 19:13:21 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/09/01 19:13:21 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/09/01 19:13:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/09/01 19:13:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/09/01 19:09:56 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\OpenOffice.org 3.3 (en-US) Installation Files
[2011/08/27 23:59:21 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/24 21:39:32 | 003,772,904 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/09/24 21:39:21 | 000,000,000 | ---- | M] () -- C:\Windows\884470985
[2011/09/24 21:39:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/24 21:37:00 | 000,457,728 | ---- | M] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:24:02 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/24 21:05:24 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 21:05:24 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 20:24:58 | 000,709,968 | ---- | M] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | M] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | M] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 20:23:13 | 000,001,840 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/24 20:23:07 | 000,000,000 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/09/24 19:31:01 | 000,007,764 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/24 17:18:53 | 000,098,304 | ---- | M] (Apple Inc.) -- C:\ProgramData\KeyboardBackupPolicy.dll
[2011/09/24 15:06:58 | 000,187,904 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/19 18:03:04 | 103,759,888 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/12 14:40:19 | 000,002,019 | ---- | M] () -- C:\Users\Public\Desktop\Fable - The Lost Chapters.lnk
[2011/09/12 14:09:17 | 000,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/12 14:09:17 | 000,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/12 14:05:49 | 000,001,054 | ---- | M] () -- C:\Users\Public\Desktop\Virtual CloneDrive.lnk
[2011/09/06 15:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/06 15:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/06 15:38:05 | 000,442,200 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/06 15:37:53 | 000,320,856 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/06 15:36:38 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/06 15:36:36 | 000,052,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/06 15:36:26 | 000,054,616 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/06 15:36:12 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/09/01 19:22:06 | 000,001,039 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/09/01 19:15:38 | 000,000,985 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
[2011/09/01 19:12:57 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/09/01 19:12:57 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/09/01 19:12:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/09/01 19:12:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/26 20:45:26 | 2316,290,048 | ---- | M] () -- C:\Users\Lovyna\Desktop\Fable The Lost Chapters.iso
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/24 21:39:21 | 000,000,000 | ---- | C] () -- C:\Windows\884470985
[2011/09/24 20:24:58 | 000,709,968 | ---- | C] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | C] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | C] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 20:23:13 | 000,001,840 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/24 15:06:58 | 000,187,904 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/23 17:17:25 | 000,007,764 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/12 14:40:19 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Fable - The Lost Chapters.lnk
[2011/09/12 14:27:17 | 2316,290,048 | ---- | C] () -- C:\Users\Lovyna\Desktop\Fable The Lost Chapters.iso
[2011/09/12 14:05:49 | 000,001,054 | ---- | C] () -- C:\Users\Public\Desktop\Virtual CloneDrive.lnk
[2011/09/01 19:22:06 | 000,001,039 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/09/01 19:15:38 | 000,000,985 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
[2011/08/03 14:54:51 | 000,008,351 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bko
[2011/08/03 14:19:59 | 000,009,591 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bk!
[2011/08/03 14:19:53 | 000,009,568 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bak
[2011/08/03 14:18:03 | 000,009,591 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.ini
[2011/08/03 14:15:48 | 000,000,063 | ---- | C] () -- C:\Windows\wininit.ini
[2011/07/06 20:37:19 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/07/06 20:36:50 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/07/06 20:36:50 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/07/06 19:51:08 | 000,000,680 | ---- | C] () -- C:\Users\Lovyna\AppData\Local\d3d9caps.dat
[2011/07/02 19:24:38 | 000,008,704 | ---- | C] () -- C:\Users\Lovyna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/29 18:08:49 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2011/06/29 18:08:49 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2011/06/29 18:08:49 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2011/06/29 18:08:49 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2011/06/29 17:55:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/06/29 17:55:29 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/06/29 17:55:29 | 000,144,773 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/06/29 15:51:37 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2011/06/29 15:35:52 | 000,000,016 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2011/06/29 15:35:51 | 000,000,007 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2009/03/05 06:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2008/02/13 01:34:21 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/13 01:00:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/13 01:00:09 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/13 01:00:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/13 01:00:09 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/02/13 00:38:47 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC1.dat
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC0.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/02/13 00:12:13 | 000,157,040 | ---- | C] () -- C:\Windows\fdbpinger.exe
[2008/01/28 20:01:42 | 000,057,344 | ---- | C] () -- C:\Windows\System32\SmartFaceVCapt.dll
[2008/01/28 20:01:06 | 000,471,040 | ---- | C] () -- C:\Windows\System32\SmartFaceVCP.dll
[2008/01/28 19:53:02 | 006,701,056 | ---- | C] () -- C:\Windows\System32\FaceHI.dll
[2008/01/28 19:53:02 | 000,995,328 | ---- | C] () -- C:\Windows\System32\FaceRec.dll
[2008/01/28 19:53:02 | 000,126,976 | ---- | C] () -- C:\Windows\System32\SmartFaceVCtrl.dll
[2008/01/28 19:52:28 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IppLib.dll
[2007/12/21 19:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/10 08:08:50 | 000,024,064 | ---- | C] () -- C:\Windows\System32\drivers\ATITool.sys
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 003,772,904 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,598,588 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,102,194 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/23 00:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 784 bytes -> C:\Windows\884470985:906709195.exe

< End of report >
  • 0

Advertisements

#2
Daclivont
Posted 24 September 2011 - 09:03 PM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
And here is the Extras log from OTL:


OTL Extras logfile created on: 9/24/2011 9:45:40 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 2.35 Gb Available Physical Memory | 81.82% Memory free
5.95 Gb Paging File | 5.59 Gb Available in Paging File | 94.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 107.50 Gb Free Space | 58.16% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.51 Gb Free Space | 94.05% Space Free | Partition Type: FAT32

Computer Name: LOVYNA-PC | User Name: Lovyna | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- ()


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{A3A4721F-BE5F-474C-A93C-198C277FA9F1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{D9EA707F-F813-452B-BE74-176793365C63}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{F1580E65-45E8-454D-B4CA-13ED1672E7AC}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1A99E1DC-1D79-4087-97E2-8D3488419D53}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{1FE144A0-CF7E-4600-8502-557BB1C76958}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{25355C04-5610-4559-9C75-E55AF5F16E1F}" = protocol=17 | dir=in | app=c:\nexon\dragonnest\dragonnest.exe |
"{336F459C-DD0C-47FB-B671-E96E07F75E4A}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{49329B9E-8558-4AE2-8C88-4348587AEEA7}" = protocol=6 | dir=in | app=c:\nexon\dragonnest\dragonnest.exe |
"{548C2620-C10C-4F68-929D-201941E2123C}" = protocol=6 | dir=in | app=c:\nexon\dragonnest\dragonnest.exe |
"{5519375F-7C88-40B2-98D9-91FC8276C938}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{702FD9C0-2CB0-4664-89B2-099478065770}" = protocol=17 | dir=in | app=c:\nexon\dragonnest\dragonnest.exe |
"{707EEB27-A9B0-4A0D-AFCB-A78DB8DEE588}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{7DE3F918-8D69-41D4-99C3-88D389826E89}" = dir=in | app=c:\program files\cyberlink\powercinema for toshiba\kernel\dms\clmsservice.exe |
"{806D78B3-015C-4722-9DB5-A35C81FBB93D}" = dir=in | app=c:\program files\cyberlink\powercinema for toshiba\powercinema.exe |
"{83746B81-08E5-4D7C-B92C-71490DB0B799}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{8490E4C0-4E01-47B9-A492-FBA04035FFA9}" = protocol=6 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{88B27F11-CED9-4317-9A2E-E99D2221FE34}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{97F605A1-696C-4D04-9CA5-0BF4750DC9A5}" = dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{D330AA29-AFA5-473D-A2B3-EEBA8FD180C8}" = protocol=17 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{D65BA80A-4847-49F9-8154-3AAD5008E39B}" = dir=in | app=c:\program files\cyberlink\powercinema for toshiba\pcmservice.exe |
"{DCA8A43A-DE32-453F-A9E9-3AA68B70DDE3}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{E5A432BE-8D07-4FAB-AAA5-71594CA7E939}" = protocol=17 | dir=in | app=c:\program files\pando networks\media booster\pmb.exe |
"{FB9826A3-C8DD-40FC-8CA4-24624870C415}" = dir=in | app=c:\program files\cyberlink\powercinema for toshiba\kernel\dmp\clbrowserengine.exe |
"{FF4926E6-FDC3-462B-8AB4-92B5DFAA2425}" = protocol=6 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"TCP Query User{75397071-B3A0-490D-98C7-376636A2C2CA}C:\program files\steam\steamapps\lovynaa\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\lovynaa\team fortress 2\hl2.exe |
"UDP Query User{47E245B5-28C5-4AD4-A5F6-2384C409F2DD}C:\program files\steam\steamapps\lovynaa\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\lovynaa\team fortress 2\hl2.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{062ABD24-47F8-D865-BCB6-A724A94BC9A5}" = CCC Help Japanese
"{06F2B3DC-74F4-300D-D41A-B21B46101CA2}" = Skins
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0A573F30-FB63-9A85-2E6E-39E1AC5366D0}" = Catalyst Control Center Localization Hungarian
"{0A9F311E-A4B9-4808-1D1C-0B2E7705A735}" = Catalyst Control Center Localization Spanish
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F15A965-99BA-BC9D-5A00-D7E1E7B2AE7F}" = Catalyst Control Center Localization French
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{14FEF8C7-0EB1-47F2-6A13-D43171D4DFBB}" = Catalyst Control Center Localization Greek
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{1D4D4C5C-6771-A416-0FC9-167F47C4D977}" = Catalyst Control Center Localization Polish
"{1E32C2AB-9722-5F41-7BDE-24B5AFD2BCE6}" = CCC Help Spanish
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{21AEC16B-1C21-81B4-DA88-2235CC1F7E39}" = Catalyst Control Center Localization Japanese
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = CyberLink PowerCinema for TOSHIBA
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{288306FF-D5B5-7398-0617-E52F625C6797}" = CCC Help Norwegian
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{2E295B5B-1AD4-4d36-97C2-A316084722CF}" = Python 2.7.2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{397AC65E-CB4A-29C2-ACF9-D04444438971}" = Catalyst Control Center Localization Thai
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B96A467-811C-F9FE-B8D6-3BC952025F44}" = Catalyst Control Center Localization Dutch
"{3BEEC9AD-FA8F-B413-6BBC-8B5DC7C8E08F}" = Catalyst Control Center Localization Portuguese
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{45ECDC05-71AC-6372-2A17-4139B6296F4F}" = ccc-core-static
"{480C3278-56A7-3F05-3829-6DC5D4B0CB06}" = CCC Help Portuguese
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{4CA4D9FC-212C-9F69-E760-DB4BEB34FEB5}" = CCC Help Thai
"{4DE0D937-FEB0-0D89-C8D6-35F600300BD4}" = CCC Help French
"{526B6DD3-0C43-2C13-7DF8-44D20D4E9853}" = CCC Help English
"{544587B1-B057-F0B3-7B19-6898ADBED9AC}" = Catalyst Control Center Localization Czech
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{571C0874-A931-EEFE-E89D-8F912F633B9F}" = CCC Help Danish
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5D90E53A-BD7C-8F32-9B82-7733D0F0BC8E}" = Adobe Download Assistant
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{63427619-C918-6F3C-7318-11DDA4975241}" = ATI Catalyst Install Manager
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{63A6E9A9-A190-46D4-9430-2DB28654AFD8}" = Norton 360
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{648B4A01-F609-1D4E-556C-0F18B54E9E1C}" = Catalyst Control Center Localization Italian
"{64F18837-72CE-DC38-899C-260AF20F979A}" = CCC Help Swedish
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{69C82DDB-3FBC-EBEC-AE0A-3ABF1F3BD39B}" = CCC Help Polish
"{6C530FF7-F6F2-FD4C-0CFC-49AD3E7244A9}" = Catalyst Control Center Localization Turkish
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6CA2BE46-A562-8CA4-1C33-CC2681B2DDA1}" = CCC Help Finnish
"{6DBBEC03-716B-7954-873A-B782100831C5}" = Catalyst Control Center Graphics Full New
"{70BCBA77-83D9-2075-1F99-69D65C44B422}" = Catalyst Control Center Graphics Full Existing
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}" = TOSHIBA ConfigFree
"{78E6BC53-F765-2629-C028-9F3CD49F70D4}" = CCC Help Chinese Standard
"{7ECE1045-66CB-2A70-7EAE-BE508AF95CF2}" = Catalyst Control Center Graphics Previews Vista
"{81F93FA5-BA87-322F-2166-4D1F0FFE196E}" = CCC Help Greek
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{8376FC56-5456-DFF9-5C36-FAB3DE39F5DF}" = Catalyst Control Center Localization Norwegian
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85B3880D-F0D2-A50C-1464-7EF646A1D21D}" = Catalyst Control Center Localization Danish
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D0957A4-8EE7-E273-0BFC-9B235BEAA41A}" = CCC Help Dutch
"{8D44F868-DA59-B1BF-CC33-58B0AF8E2E39}" = Catalyst Control Center Localization Chinese Traditional
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A3F65CA-78FA-4749-004B-23743CF642D1}" = Catalyst Control Center Localization Korean
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A5B13934-D1C9-D33B-982E-BB09A19C0F90}" = Catalyst Control Center Localization Finnish
"{A60F4402-4CCE-E695-64C6-F0636ACC347F}" = CCC Help Italian
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A91A0484-8087-A838-9BA6-03374BE3F2CE}" = Catalyst Control Center Localization Russian
"{AA725670-A7B4-D1B0-4EF5-F4B2E418C9F4}" = Catalyst Control Center Localization German
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{ADBE6E56-60E7-7FC3-467A-827987BE09CE}" = Catalyst Control Center Localization Swedish
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B1819DF7-D6B1-27AA-3A3B-6560C348C386}" = Catalyst Control Center Core Implementation
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{B9CD69C2-D14E-C499-C18B-7342E5FE245E}" = Catalyst Control Center Localization Chinese Standard
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D58A1E94-9EEA-4C6E-B9FB-D7C63DC6C941}" = Catalyst Control Center - Branding
"{D8F9F4CB-41A1-CF15-39A2-75F28E0B9991}" = CCC Help Korean
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DDA258BA-57D9-A76C-84CB-F19571A45FC8}" = ccc-utility
"{DF73BEDD-8A09-A6E2-462B-3BDF398BAFB2}" = CCC Help Czech
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E70A3EE1-067D-8C6C-1C89-9F3A1BA4CF2C}" = Catalyst Control Center Graphics Light
"{E87A8D96-5795-A788-18A2-3BCC20B09E7C}" = CCC Help Chinese Traditional
"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager
"{EB295AF7-C2D1-D911-9E62-F288874B96F4}" = CCC Help Turkish
"{EBCD5E4C-F14A-B147-39FE-906F75AC4ACE}" = CCC Help Russian
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F36D6137-FD4C-1F67-7B2A-815BB05BB825}" = CCC Help German
"{F84C1DC6-4B39-1A34-AD6E-A6EE49A3DD78}" = CCC Help Hungarian
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"7-Zip" = 7-Zip 9.20
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"ATITool" = ATITool Overclocking Utility
"avast" = avast! Free Antivirus
"BitTorrent" = BitTorrent
"BitTorrentBar Toolbar" = BitTorrentBar Toolbar
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.downloadassistant.AdobeDownloadAssistant" = Adobe Download Assistant
"conduitEngine" = Conduit Engine
"DragonNest" = DragonNest
"File Shredder_is1" = File Shredder 2.0
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = CyberLink PowerCinema for TOSHIBA
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"Picasa2" = Picasa 2
"PROHYBRIDR" = 2007 Microsoft Office system
"Steam App 440" = Team Fortress 2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VirtualCloneDrive" = VirtualCloneDrive
"WildTangent toshiba Master Uninstall" = TOSHIBA Games
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinGimp-2.0_is1" = GIMP 2.6.11

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/24/2011 7:59:10 PM | Computer Name = Lovyna-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2011 8:06:43 PM | Computer Name = Lovyna-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2011 8:07:12 PM | Computer Name = Lovyna-PC | Source = EventSystem | ID = 4609
Description =

Error - 9/24/2011 8:13:29 PM | Computer Name = Lovyna-PC | Source = Application Error | ID = 1000
Description = Faulting application 906709195.exe, version 0.0.0.0, time stamp 0x4e43a3a4,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x000002c8, process id 0x6a4, application start time 0x01cc7b17f3db0833.

Error - 9/24/2011 8:14:58 PM | Computer Name = Lovyna-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2011 8:17:04 PM | Computer Name = Lovyna-PC | Source = Application Error | ID = 1000
Description = Faulting application 906709195.exe, version 0.0.0.0, time stamp 0x4e43a3a4,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x000002c8, process id 0x6c4, application start time 0x01cc7b18717cfd65.

Error - 9/24/2011 8:18:29 PM | Computer Name = Lovyna-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2011 8:21:37 PM | Computer Name = Lovyna-PC | Source = EventSystem | ID = 4609
Description =

Error - 9/24/2011 8:21:58 PM | Computer Name = Lovyna-PC | Source = WinMgmt | ID = 10
Description =

Error - 9/24/2011 8:22:36 PM | Computer Name = Lovyna-PC | Source = System Restore | ID = 8193
Description =

[ System Events ]
Error - 7/19/2011 2:46:31 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:46:38 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:46:38 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:46:38 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:46:38 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:46:38 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-Servicing | ID = 4375
Description =

Error - 7/19/2011 2:48:56 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 7/19/2011 2:48:57 PM | Computer Name = Lovyna-PC | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 7/19/2011 3:17:09 PM | Computer Name = Lovyna-PC | Source = DCOM | ID = 10010
Description =

Error - 7/20/2011 11:43:12 AM | Computer Name = Lovyna-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:38:24 PM on 7/19/2011 was unexpected.


< End of report >
  • 0

#3
SweetTech
Posted 25 September 2011 - 10:59 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :unsure:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

It looks like you're infected with a pretty nasty infection called ZeroAccess.

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:Processes
KILLALLPROCESSES
:OTL
PRC - File not found -- C:\Windows\884470985:906709195.exe
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:49758
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53596
FF - prefs.js..network.proxy.type: 0
O4 - HKLM..\Run: [conhost] C:\Users\Lovyna\AppData\Roaming\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\Windows\is-BV8GL.exe ()
F3 - HKCU WinNT: Load - (C:\Users\Lovyna\AppData\Local\Temp\csrss.exe) -C:\Users\Lovyna\AppData\Local\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O20 - HKCU Winlogon: Shell - (C:\Users\Lovyna\AppData\Roaming\dwm.exe) -C:\Users\Lovyna\AppData\Roaming\dwm.exe ()
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell - "" = AutoRun
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\directx\command - "" = E:\DirectX9\dxsetup.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\setup\command - "" = E:\setup.exe
[2011/09/24 21:37:23 | 000,457,728 | ---- | C] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:18:32 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\dsfgkjszhgdf
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/09/24 21:39:21 | 000,000,000 | ---- | M] () -- C:\Windows\884470985
[2011/09/24 21:37:00 | 000,457,728 | ---- | M] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 20:24:58 | 000,709,968 | ---- | M] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | M] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | M] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 19:31:01 | 000,007,764 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/24 15:06:58 | 000,187,904 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/09/24 21:39:21 | 000,000,000 | ---- | C] () -- C:\Windows\884470985
[2011/09/24 20:24:58 | 000,709,968 | ---- | C] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | C] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | C] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 15:06:58 | 000,187,904 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/23 17:17:25 | 000,007,764 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
@Alternate Data Stream - 784 bytes -> C:\Windows\884470985:906709195.exe

:Reg

:Files
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.
  • 0

#4
Daclivont
Posted 25 September 2011 - 12:04 PM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
It seems quite intent on staying right where it is. :)

If I try running the OTL fix when booted normally I get a nice pleasant BSOD. And, If I run it in safe mode OTL just locks up and stops responding.

And, just wondering what are the chances of this infecting the other machines on the network or jumping with the flash drive I used to get OTL on the PC?
  • 0

#5
SweetTech
Posted 25 September 2011 - 09:52 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

And, just wondering what are the chances of this infecting the other machines on the network or jumping with the flash drive I used to get OTL on the PC?

In all honesty, it's really difficult to say as this infection is a bit of a wild beast, so it tends to have a mind of it's own.

If I try running the OTL fix when booted normally I get a nice pleasant BSOD. And, If I run it in safe mode OTL just locks up and stops responding.

Okay. I'm going to give you a new OTL script to attempt to run.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:Processes
KILLALLPROCESSES
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:49758
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53596
FF - prefs.js..network.proxy.type: 0
O4 - HKLM..\Run: [conhost] C:\Users\Lovyna\AppData\Roaming\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\Windows\is-BV8GL.exe ()
F3 - HKCU WinNT: Load - (C:\Users\Lovyna\AppData\Local\Temp\csrss.exe) -C:\Users\Lovyna\AppData\Local\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O20 - HKCU Winlogon: Shell - (C:\Users\Lovyna\AppData\Roaming\dwm.exe) -C:\Users\Lovyna\AppData\Roaming\dwm.exe ()
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell - "" = AutoRun
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\directx\command - "" = E:\DirectX9\dxsetup.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\setup\command - "" = E:\setup.exe
[2011/09/24 21:37:23 | 000,457,728 | ---- | C] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:18:32 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\dsfgkjszhgdf
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/09/24 21:37:00 | 000,457,728 | ---- | M] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 20:24:58 | 000,709,968 | ---- | M] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | M] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | M] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 19:31:01 | 000,007,764 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/24 15:06:58 | 000,187,904 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/09/24 20:24:58 | 000,709,968 | ---- | C] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | C] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | C] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 15:06:58 | 000,187,904 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/23 17:17:25 | 000,007,764 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
:Reg

:Files
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



If the above script still won't run, please attempt to run this utility for me:

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.
  • 0

#6
Daclivont
Posted 25 September 2011 - 10:58 PM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
It managed to get through the whole OTL fix. Then BSOD on reboot. Then got it started again in safemode, but, part way through the gmer scan it stopped it and now is blocking it saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." It also added a small icon in the lower left of the GMER icon that looks like the User accounts icon.

And 884470985:904709195.exe is back in the processes.


Here's the OTL log:

OTL logfile created on: 9/24/2011 9:58:44 PM - Run 2
OTL by OldTimer - Version 3.2.29.1 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19120)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 2.38 Gb Available Physical Memory | 82.87% Memory free
5.95 Gb Paging File | 5.62 Gb Available in Paging File | 94.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 107.45 Gb Free Space | 58.13% Space Free | Partition Type: NTFS
Drive F: | 3.73 Gb Total Space | 3.51 Gb Free Space | 94.05% Space Free | Partition Type: FAT32

Computer Name: LOVYNA-PC | User Name: Lovyna | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\Windows\884470985:906709195.exe
PRC - [2011/09/24 21:44:34 | 000,582,656 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2009/04/10 23:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2009/04/10 23:28:24 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2011/09/06 15:45:28 | 000,044,768 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/07/25 19:48:28 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/07/03 09:57:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Stopped] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/28 19:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/09/24 20:38:00 | 000,181,784 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Stopped] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2011/09/06 15:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 15:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 15:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 15:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 15:36:26 | 000,054,616 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/09/06 15:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/09/02 03:09:24 | 000,176,128 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/04/10 22:06:28 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2008/07/29 05:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/21 17:42:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/20 21:23:21 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/12/17 13:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/11/09 16:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/08/31 19:43:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2007/07/28 00:36:40 | 002,929,664 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/03/22 01:02:04 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/02/24 17:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 19:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/10 08:08:50 | 000,024,064 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\System32\drivers\ATITool.sys -- (ATITool)
DRV - [2006/11/09 01:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 01:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/10/30 12:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:49758

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mysbu.sbuniv...on=0&formdir=3"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53596
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/24 20:22:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/07 21:14:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/06/29 16:08:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Extensions
[2011/09/24 14:54:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions
[2011/09/03 01:18:49 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2011/09/24 14:54:26 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2011/07/08 21:24:38 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/09/07 21:14:56 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/07/03 08:49:49 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\extensions\[email protected]
[2011/09/01 19:13:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/01 19:13:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/09/24 20:22:50 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\{DCBD1271-D228-4082-9FBC-36D9B7660B03}.XPI
() (No name found) -- C:\USERS\LOVYNA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\7HPKN9SU.DEFAULT\EXTENSIONS\[email protected]
[2011/07/04 03:08:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/07 21:14:24 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========


Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (BitTorrentBar Toolbar) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (BitTorrentBar Toolbar) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBitT.dll (Conduit Ltd.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe ()
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [conhost] C:\Users\Lovyna\AppData\Roaming\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [jswtrayutil] "C:\Program Files\Jumpstart\jswtrayutil.exe" File not found
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PCMAgent] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Microsoft Update] C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe (Apple Inc.)
O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] C:\Windows\is-BV8GL.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Users\Lovyna\Desktop\dsfgkjszhgdf\Malwa\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
F3 - HKCU WinNT: Load - (C:\Users\Lovyna\AppData\Local\Temp\csrss.exe) -C:\Users\Lovyna\AppData\Local\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.254.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{662D9419-05B0-444A-B459-569214287EA8}: DhcpNameServer = 192.168.254.254
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Lovyna\AppData\Roaming\dwm.exe) -C:\Users\Lovyna\AppData\Roaming\dwm.exe ()
O24 - Desktop WallPaper: C:\Users\Lovyna\Desktop\Photos\Jenn's stuff\Sleep-With-A-Teddy-Bear.jpg
O24 - Desktop BackupWallPaper: C:\Users\Lovyna\Desktop\Photos\Jenn's stuff\Sleep-With-A-Teddy-Bear.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell - "" = AutoRun
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\AutoRun\command - "" = E:\autorun.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\directx\command - "" = E:\DirectX9\dxsetup.exe
O33 - MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\Shell\setup\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/24 21:37:23 | 000,457,728 | ---- | C] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:18:32 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\dsfgkjszhgdf
[2011/09/24 20:23:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/09/24 20:23:12 | 000,320,856 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/24 20:23:12 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/09/24 19:58:44 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/24 19:58:42 | 000,052,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/24 19:39:24 | 000,442,200 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/24 19:39:23 | 000,054,616 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/24 19:38:55 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/24 19:38:55 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/24 19:11:49 | 000,000,000 | -H-D | C] -- C:\Windows\PIF
[2011/09/24 17:18:54 | 000,098,304 | ---- | C] (Apple Inc.) -- C:\ProgramData\KeyboardBackupPolicy.dll
[2011/09/12 14:51:18 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Documents\My Games
[2011/09/12 14:40:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Games
[2011/09/12 14:40:16 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_25.dll
[2011/09/12 14:05:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Elaborate Bytes
[2011/09/12 14:05:16 | 000,000,000 | ---D | C] -- C:\Program Files\Elaborate Bytes
[2011/09/08 19:02:34 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\TOSHIBA
[2011/09/07 16:52:31 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/09/01 19:21:45 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\AppData\Roaming\OpenOffice.org
[2011/09/01 19:15:37 | 000,000,000 | --SD | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.3
[2011/09/01 19:14:30 | 000,000,000 | ---D | C] -- C:\Program Files\OpenOffice.org 3
[2011/09/01 19:13:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2011/09/01 19:13:21 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/09/01 19:13:21 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/09/01 19:13:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/09/01 19:13:20 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/09/01 19:09:56 | 000,000,000 | ---D | C] -- C:\Users\Lovyna\Desktop\OpenOffice.org 3.3 (en-US) Installation Files
[2011/08/27 23:59:21 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/24 21:39:32 | 003,772,904 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/09/24 21:39:21 | 000,000,000 | ---- | M] () -- C:\Windows\884470985
[2011/09/24 21:39:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/24 21:37:00 | 000,457,728 | ---- | M] (NetPlay Software) -- C:\ProgramData\AbEVEEVRbhjjV.exe
[2011/09/24 21:24:02 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/09/24 21:05:24 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 21:05:24 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/24 20:24:58 | 000,709,968 | ---- | M] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | M] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | M] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 20:23:13 | 000,001,840 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/24 20:23:07 | 000,000,000 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/09/24 19:31:01 | 000,007,764 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/24 17:18:53 | 000,098,304 | ---- | M] (Apple Inc.) -- C:\ProgramData\KeyboardBackupPolicy.dll
[2011/09/24 15:06:58 | 000,187,904 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/19 18:03:04 | 103,759,888 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/09/12 14:40:19 | 000,002,019 | ---- | M] () -- C:\Users\Public\Desktop\Fable - The Lost Chapters.lnk
[2011/09/12 14:09:17 | 000,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/09/12 14:09:17 | 000,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/09/12 14:05:49 | 000,001,054 | ---- | M] () -- C:\Users\Public\Desktop\Virtual CloneDrive.lnk
[2011/09/06 15:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/09/06 15:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/06 15:38:05 | 000,442,200 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2011/09/06 15:37:53 | 000,320,856 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/09/06 15:36:38 | 000,034,392 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/09/06 15:36:36 | 000,052,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/09/06 15:36:26 | 000,054,616 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/09/06 15:36:12 | 000,020,568 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/09/01 19:22:06 | 000,001,039 | ---- | M] () -- C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/09/01 19:15:38 | 000,000,985 | ---- | M] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
[2011/09/01 19:12:57 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/09/01 19:12:57 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/09/01 19:12:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/09/01 19:12:57 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/08/26 20:45:26 | 2316,290,048 | ---- | M] () -- C:\Users\Lovyna\Desktop\Fable The Lost Chapters.iso
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/24 21:39:21 | 000,000,000 | ---- | C] () -- C:\Windows\884470985
[2011/09/24 20:24:58 | 000,709,968 | ---- | C] () -- C:\Windows\is-BV8GL.exe
[2011/09/24 20:24:58 | 000,010,498 | ---- | C] () -- C:\Windows\is-BV8GL.msg
[2011/09/24 20:24:58 | 000,000,381 | ---- | C] () -- C:\Windows\is-BV8GL.lst
[2011/09/24 20:23:13 | 000,001,840 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/24 15:06:58 | 000,187,904 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\dwm.exe
[2011/09/23 17:17:25 | 000,007,764 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\B66E.09A
[2011/09/12 14:40:19 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Fable - The Lost Chapters.lnk
[2011/09/12 14:27:17 | 2316,290,048 | ---- | C] () -- C:\Users\Lovyna\Desktop\Fable The Lost Chapters.iso
[2011/09/12 14:05:49 | 000,001,054 | ---- | C] () -- C:\Users\Public\Desktop\Virtual CloneDrive.lnk
[2011/09/01 19:22:06 | 000,001,039 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/09/01 19:15:38 | 000,000,985 | ---- | C] () -- C:\Users\Public\Desktop\OpenOffice.org 3.3.lnk
[2011/08/03 14:54:51 | 000,008,351 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bko
[2011/08/03 14:19:59 | 000,009,591 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bk!
[2011/08/03 14:19:53 | 000,009,568 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.bak
[2011/08/03 14:18:03 | 000,009,591 | ---- | C] () -- C:\Users\Lovyna\AppData\Roaming\PStrip.ini
[2011/08/03 14:15:48 | 000,000,063 | ---- | C] () -- C:\Windows\wininit.ini
[2011/07/06 20:37:19 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/07/06 20:36:50 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/07/06 20:36:50 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/07/06 19:51:08 | 000,000,680 | ---- | C] () -- C:\Users\Lovyna\AppData\Local\d3d9caps.dat
[2011/07/02 19:24:38 | 000,008,704 | ---- | C] () -- C:\Users\Lovyna\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/29 18:08:49 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2011/06/29 18:08:49 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2011/06/29 18:08:49 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2011/06/29 18:08:49 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2011/06/29 17:55:29 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2011/06/29 17:55:29 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2011/06/29 17:55:29 | 000,144,773 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/06/29 15:51:37 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2011/06/29 15:35:52 | 000,000,016 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2011/06/29 15:35:51 | 000,000,007 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2009/03/05 06:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2008/02/13 01:34:21 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/13 01:00:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/13 01:00:09 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/13 01:00:09 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/13 01:00:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/13 01:00:09 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/02/13 00:38:47 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC1.dat
[2008/02/13 00:35:26 | 000,000,852 | ---- | C] () -- C:\Windows\System32\drivers\RTKHDRC0.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2008/02/13 00:35:26 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/02/13 00:35:26 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/02/13 00:12:13 | 000,157,040 | ---- | C] () -- C:\Windows\fdbpinger.exe
[2008/01/28 20:01:42 | 000,057,344 | ---- | C] () -- C:\Windows\System32\SmartFaceVCapt.dll
[2008/01/28 20:01:06 | 000,471,040 | ---- | C] () -- C:\Windows\System32\SmartFaceVCP.dll
[2008/01/28 19:53:02 | 006,701,056 | ---- | C] () -- C:\Windows\System32\FaceHI.dll
[2008/01/28 19:53:02 | 000,995,328 | ---- | C] () -- C:\Windows\System32\FaceRec.dll
[2008/01/28 19:53:02 | 000,126,976 | ---- | C] () -- C:\Windows\System32\SmartFaceVCtrl.dll
[2008/01/28 19:52:28 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IppLib.dll
[2007/12/21 19:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/10 08:08:50 | 000,024,064 | ---- | C] () -- C:\Windows\System32\drivers\ATITool.sys
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 003,772,904 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,598,588 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,102,194 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/23 00:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 784 bytes -> C:\Windows\884470985:906709195.exe

< End of report >

Edited by Daclivont, 25 September 2011 - 11:33 PM.

  • 0

#7
SweetTech
Posted 26 September 2011 - 09:58 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
HI!

Please look here for the OTL fix log:

C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

  • 0

#8
Daclivont
Posted 26 September 2011 - 11:16 AM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Didn't realize the it pasted the old one >.< sorry


All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 53596 removed from network.proxy.http_port
Prefs.js: 0 removed from network.proxy.type
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\conhost not found.
File C:\Users\Lovyna\AppData\Roaming\Microsoft\conhost.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jswtrayutil not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\InnoSetupRegFile.0000000001 not found.
File C:\Windows\is-BV8GL.exe not found.
File \Users\Lovyna\AppData\Local\Temp\csrss.exe) -C:\Users\Lovyna\AppData\Local\Temp\csrss.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\Users\Lovyna\AppData\Local\Temp\csrss.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Users\Lovyna\AppData\Roaming\dwm.exe deleted successfully.
File \Users\Lovyna\AppData\Roaming\dwm.exe) -C:\Users\Lovyna\AppData\Roaming\dwm.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
File E:\autorun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
File E:\DirectX9\dxsetup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266e9f10-dd6d-11e0-9cd2-001e3357ba98}\ not found.
File E:\setup.exe not found.
File C:\ProgramData\AbEVEEVRbhjjV.exe not found.
C:\Users\Lovyna\Desktop\dsfgkjszhgdf\Malwa folder moved successfully.
C:\Users\Lovyna\Desktop\dsfgkjszhgdf folder moved successfully.
C:\Windows\System32\ConduitEngine.tmp deleted successfully.
C:\Windows\msdownld.tmp folder deleted successfully.
File C:\ProgramData\AbEVEEVRbhjjV.exe not found.
File C:\Windows\is-BV8GL.exe not found.
File C:\Windows\is-BV8GL.msg not found.
File C:\Windows\is-BV8GL.lst not found.
C:\Users\Lovyna\AppData\Roaming\B66E.09A moved successfully.
C:\Users\Lovyna\AppData\Roaming\dwm.exe moved successfully.
File C:\Windows\is-BV8GL.exe not found.
File C:\Windows\is-BV8GL.msg not found.
File C:\Windows\is-BV8GL.lst not found.
File C:\Users\Lovyna\AppData\Roaming\dwm.exe not found.
File C:\Users\Lovyna\AppData\Roaming\B66E.09A not found.
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?
C:\Users\Lovyna\Desktop\cmd.bat deleted successfully.
C:\Users\Lovyna\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Users\Lovyna\Desktop\cmd.bat deleted successfully.
C:\Users\Lovyna\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 59131 bytes
->Temporary Internet Files folder emptied: 414088 bytes
->FireFox cache emptied: 107464652 bytes
->Flash cache emptied: 57233 bytes

User: Lovyna
->Temp folder emptied: 355196760 bytes
->Temporary Internet Files folder emptied: 29523775 bytes
->Java cache emptied: 522721 bytes
->FireFox cache emptied: 48922445 bytes
->Flash cache emptied: 57624 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 48063796 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1088502 bytes

Total Files Cleaned = 564.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: Lovyna
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 09252011_235659

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




















And there's this one too:

Files\Folders moved on Reboot...
Folder move failed. C:\Users\Lovyna\Desktop\dsfgkjszhgdf\Malwa scheduled to be moved on reboot.

Registry entries deleted on Reboot...
  • 0

#9
SweetTech
Posted 26 September 2011 - 11:35 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
No worries, it happens sometimes.

Were you able to attempt the ComboFix instructions yet?
  • 0

#10
Daclivont
Posted 26 September 2011 - 11:40 AM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
It's running right now.
  • 0

Advertisements

#11
SweetTech
Posted 26 September 2011 - 11:44 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
:)
  • 0

#12
Daclivont
Posted 26 September 2011 - 06:35 PM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
And the long awaited ComboFix log:

ComboFix 11-09-26.01 - Lovyna 09/26/2011 19:12:22.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2941.2520 [GMT -5:00]
Running from: c:\users\Lovyna\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\KeyboardBackupPolicy.dll
c:\windows\$NtUninstallKB33087$
c:\windows\$NtUninstallKB33087$\1906216074
c:\windows\$NtUninstallKB33087$\3388258100\@
c:\windows\$NtUninstallKB33087$\3388258100\bckfg.tmp
c:\windows\$NtUninstallKB33087$\3388258100\cfg.ini
c:\windows\$NtUninstallKB33087$\3388258100\Desktop.ini
c:\windows\$NtUninstallKB33087$\3388258100\keywords
c:\windows\$NtUninstallKB33087$\3388258100\kwrd.dll
c:\windows\$NtUninstallKB33087$\3388258100\L\qnbwvoto
c:\windows\$NtUninstallKB33087$\3388258100\lsflt7.ver
c:\windows\$NtUninstallKB33087$\3388258100\U\00000001.@
c:\windows\$NtUninstallKB33087$\3388258100\U\00000002.@
c:\windows\$NtUninstallKB33087$\3388258100\U\80000000.@
c:\windows\$NtUninstallKB33087$\3388258100\U\80000032.@
c:\windows\system32\no
c:\windows\system32\no\toscdspd.cpl.mui
c:\windows\system32\spsys.log
c:\windows\system32\SV
c:\windows\system32\SV\toscdspd.cpl.mui
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_c9f4b734
.
.
((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))
.
.
2011-09-27 00:24 . 2011-09-27 00:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{458DA72F-F9A9-48D3-8F9E-2A624EF30CB7}\offreg.dll
2011-09-25 17:53 . 2011-09-25 17:53 -------- d-----w- C:\_OTL
2011-09-25 01:23 . 2011-09-06 20:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-25 01:23 . 2011-09-06 20:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-25 00:58 . 2011-09-06 20:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-25 00:58 . 2011-09-06 20:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-25 00:39 . 2011-09-06 20:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-25 00:39 . 2011-09-06 20:36 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-25 00:38 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-09-25 00:38 . 2011-09-06 20:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-25 00:11 . 2011-09-25 00:11 -------- d--h--w- c:\windows\PIF
2011-09-23 22:28 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{458DA72F-F9A9-48D3-8F9E-2A624EF30CB7}\mpengine.dll
2011-09-12 19:05 . 2011-09-12 19:05 -------- d-----w- c:\program files\Elaborate Bytes
2011-09-09 00:02 . 2011-09-09 00:02 -------- d-----w- c:\users\Lovyna\AppData\Roaming\TOSHIBA
2011-09-07 21:52 . 2011-09-07 21:52 -------- d-----w- c:\windows\Sun
2011-09-02 00:21 . 2011-09-02 00:21 -------- d-----w- c:\users\Lovyna\AppData\Roaming\OpenOffice.org
2011-09-02 00:14 . 2011-09-02 00:14 -------- d-----w- c:\program files\OpenOffice.org 3
2011-09-02 00:13 . 2011-09-02 00:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-28 04:59 . 2011-08-28 04:59 -------- d-----w- c:\programdata\WindowsSearch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-25 02:24 . 2011-07-07 01:02 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 22:00 . 2011-07-07 01:02 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-12 20:58 . 2011-06-30 00:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-23 11:04 . 2011-08-11 00:17 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00 . 2011-08-11 00:17 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59 . 2011-08-11 00:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59 . 2011-08-11 00:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59 . 2011-08-11 00:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03 . 2011-08-11 00:17 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27 . 2011-08-11 00:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25 . 2011-08-11 00:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25 . 2011-08-25 02:27 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31 . 2011-08-11 00:17 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-29 23:00 . 2008-02-13 05:35 319456 ----a-w- c:\windows\DIFxAPI.dll
2011-06-29 20:35 . 2011-06-29 20:35 16 --sh--r- c:\windows\system32\drivers\fbd.sys
2011-06-29 20:35 . 2011-06-29 20:35 7 --sh--r- c:\windows\system32\drivers\taishop.sys
2011-09-08 02:14 . 2011-06-29 21:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"= "c:\program files\BitTorrentBar\prxtbBitT.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-02-14 184320]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OTL"="c:\users\Lovyna\Desktop\OTL.exe" [2011-09-25 582656]
.
c:\users\Lovyna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-26 00:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2011-07-26 18:33 3077528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-02 16:18 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\users\Lovyna\AppData\Roaming\Mozilla\Firefox\Profiles\7hpkn9su.default\
FF - prefs.js: browser.startup.homepage - hxxps://mysbu.sbuniv.edu/CookieAuth.dll?GetLogon?curl=Z2F&reason=0&formdir=3
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port -
FF - prefs.js: network.proxy.type -
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-KeyboardBackupPolicy - c:\programdata\KeyboardBackupPolicy.dll
HKU-Default-Run-AbEVEEVRbhjjV.exe - c:\programdata\AbEVEEVRbhjjV.exe
MSConfigStartUp-conhost - c:\users\Lovyna\AppData\Roaming\Microsoft\conhost.exe
MSConfigStartUp-TOSCDSPD - TOSCDSPD.EXE
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\users\Lovyna\Desktop\dsfgkjszhgdf\Malwa\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-26 19:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1376)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-09-26 19:33:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-27 00:33
.
Pre-Run: 115,152,146,432 bytes free
Post-Run: 114,933,202,944 bytes free
.
- - End Of File - - E41D4C0EC7A0C88F0FB39D0012B9270E
  • 0

#13
SweetTech
Posted 26 September 2011 - 09:52 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Good Evening Daclivont!

Glad to hear you were able to run ComboFix. It looks like it was able to run successfully which is a great thing to see!!

We will attempt to run Malwarebytes' Anti-Malware and see if it will now run for us.

MalwareBytes' Anti-Malware Uninstall

Please do the following:

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

NEXT:


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#14
Daclivont
Posted 26 September 2011 - 11:41 PM

Daclivont

    Member

  • Topic Starter
  • Member
  • PipPip
  • 85 posts
Here's the MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7806

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120

9/27/2011 12:39:36 AM
mbam-log-2011-09-27 (00-39-36).txt

Scan type: Quick scan
Objects scanned: 185359
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\microsoftupdate\microsoftupdt32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#15
SweetTech
Posted 27 September 2011 - 09:33 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Good Afternoon Daclivont!

You're logs are looking better. How are things running?

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP