Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

No Internet after Zeroaccess Removal [Solved]


  • This topic is locked This topic is locked

#1
winvista

winvista

    Member

  • Member
  • PipPip
  • 40 posts
I am running Vista Home Premium SP 2. My computer got infected with the zeroaccess rootkit which infected the TCP/IP stack, and I lost the ability to connect to the internet. I connect directly to the internet through a dial-up modem.

I managed to remove the rootkit with the help of a friend, and many things improved. However, I am still unable to connect to the internet, and nothing I try works (resetting winsock, netsh int ip reset reset.log, etc.). No proxies are set and the internet connection is set up to obtain settings automatically.

Any help would be appreciated because I don't know where to go from here.
  • 0

Advertisements


#2
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,202 posts
Hi

Welcome to Geekstogo. I'll try and help you with this problem.

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.

  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you

Posted Image OTL
  • Download OTL to your Desktop
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe
    %APPDATA%\*.
    /md5start
    atapi.sys
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    csrss.exe
    PrintIsolationHost.exe
    consrv.dll
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.
  • 0

#3
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Thanks for the reply. Here are the contents of the OTL.txt file:

OTL logfile created on: 5/26/2012 12:34:38 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\admin\Desktop\OTL
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.90 Gb Available Physical Memory | 69.19% Memory free
5.70 Gb Paging File | 4.93 Gb Available in Paging File | 86.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 2.24 Gb Free Space | 1.52% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.91 Gb Free Space | 54.21% Space Free | Partition Type: FAT32

Computer Name: RNT-PC | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/25 21:37:04 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL\OTL.exe
PRC - [2012/03/14 17:38:14 | 000,913,752 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
PRC - [2012/03/12 18:59:50 | 000,342,872 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe
PRC - [2011/11/14 22:18:45 | 000,386,448 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\ACFXAU32.exe
PRC - [2011/11/14 22:18:44 | 000,124,000 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
PRC - [2011/11/14 22:18:43 | 000,424,928 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2011/11/14 22:18:43 | 000,074,276 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2011/11/14 22:18:37 | 000,038,672 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/04/24 16:03:12 | 000,430,080 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2008/04/17 03:21:24 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2008/04/17 03:19:16 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2008/04/08 18:14:50 | 006,037,504 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/10 22:43:26 | 000,138,072 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll
MOD - [2008/09/16 21:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/04/23 01:05:08 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2008/02/04 16:29:02 | 000,688,128 | ---- | M] () -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
MOD - [2006/12/11 00:51:08 | 000,077,824 | R--- | M] () -- C:\Program Files\Hp\Digital Imaging\bin\crm\xmltok.dll
MOD - [2006/12/11 00:51:08 | 000,065,536 | R--- | M] () -- C:\Program Files\Hp\Digital Imaging\bin\crm\xmlparse.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2012/04/30 21:51:00 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/03/14 17:38:14 | 000,913,752 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/11/14 22:18:45 | 000,386,448 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\ACFXAU32.exe -- (XAudioService)
SRV - [2011/11/14 22:18:44 | 000,124,000 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2011/11/14 22:18:43 | 000,424,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2011/11/14 22:18:43 | 000,074,276 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2011/11/14 22:18:42 | 000,145,128 | ---- | M] () [Auto | Stopped] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2011/11/14 22:18:42 | 000,057,480 | ---- | M] () [Disabled | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2011/11/14 22:18:37 | 000,038,672 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2011/05/28 18:56:18 | 000,073,600 | ---- | M] () [Auto | Running] -- C:\Windows\System32\ezGOSvc.dll -- (ezGOSvc)
SRV - [2008/04/16 18:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/01/29 13:09:58 | 000,165,416 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 18:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 18:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\jeo\AppData\Local\Temp\mfe_rr.sys -- (MFE_RR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [File_System | System | Stopped] -- system32\DRIVERS\klif.sys -- (KLIF)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/07/29 13:54:56 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\epmntdrv.sys -- (epmntdrv)
DRV - [2011/07/29 13:54:56 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2011/05/06 14:30:00 | 000,016,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdrvio.sys -- (pwdrvio)
DRV - [2011/05/06 14:29:50 | 000,011,104 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdspio.sys -- (pwdspio)
DRV - [2010/06/23 10:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2010/06/09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kl1.sys -- (KL1)
DRV - [2009/12/18 12:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 12:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2009/11/02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/07/29 06:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/28 19:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/04/23 03:36:32 | 003,551,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/04/11 00:25:30 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/18 12:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/14 14:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/07/10 04:13:38 | 000,028,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ACFDCP32.sys -- (dgcfltr)
DRV - [2007/07/10 04:13:32 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\ACFXAU32.sys -- (XAudio)
DRV - [2007/06/29 06:39:46 | 000,086,656 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ACFVA32.sys -- (acfva)
DRV - [2007/03/15 05:52:34 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\ACFSDK32.sys -- (mdmxsdk)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/10/30 14:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2002/10/01 15:43:32 | 000,119,798 | ---- | M] (SP) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\spca561.sys -- (CA561)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {5413DC04-8E8C-4D0A-B988-D5786D662FD9}
IE - HKLM\..\SearchScopes\{5413DC04-8E8C-4D0A-B988-D5786D662FD9}: "URL" = http://www.google.co...ge={startPage};
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2117678

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKCU\..\SearchScopes,DefaultScope = {5413DC04-8E8C-4D0A-B988-D5786D662FD9}
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}
IE - HKCU\..\SearchScopes\{93462E4E-B91F-4B9A-8184-4E527B169A32}: "URL" = http://us.yhs.search...p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/15 20:57:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/15 19:06:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/15 20:58:28 | 000,000,000 | ---D | M]

[2012/01/15 02:32:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/17 11:18:47 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/15 21:59:53 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]_bak
[2011/12/21 03:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/02/11 15:16:16 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/05/14 01:06:53 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2010/08/02 09:27:02 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011/12/21 00:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 00:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

O1 HOSTS File: ([2012/05/25 12:07:27 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {8984B388-A5BB-4DF7-B274-77B879E179DB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - Reg Error: Key error. File not found
O9 - Extra Button: ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Program Files\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Program Files\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - Reg Error: Key error. File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\Windows\system32\klogon.dll) - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
System Restore Service not available.

========== Files/Folders - Created Within 30 Days ==========

[2012/05/26 12:29:41 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\OTL
[2012/05/25 23:39:40 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\WindowsForUs
[2012/05/25 23:36:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinBubble
[2012/05/25 23:36:53 | 000,000,000 | ---D | C] -- C:\Program Files\WinBubble
[2012/05/25 17:19:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\tp
[2012/05/25 16:15:56 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/05/25 16:12:59 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\temp
[2012/05/25 16:12:21 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/05/25 15:28:52 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/05/25 00:31:05 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/24 22:11:54 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\log
[2012/05/24 22:11:48 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\TMRBLog
[2012/05/24 21:38:10 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\backups
[2012/05/24 21:31:41 | 008,656,400 | ---- | C] (Trend Micro Inc.) -- C:\Users\admin\Desktop\RootkitBuster_v5_1061.exe
[2012/05/24 21:31:35 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\admin\Desktop\HijackThis.exe
[2012/05/24 15:23:41 | 000,000,000 | ---D | C] -- C:\Users\admin\Pavark
[2012/05/24 11:30:09 | 000,475,712 | ---- | C] (McAfee, Inc.) -- C:\Users\admin\Desktop\rootkitremover.exe
[2012/05/24 02:45:57 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Microsoft Games
[2012/05/23 01:14:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Opera
[2012/05/23 01:14:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Opera
[2012/05/22 23:33:21 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\vlc
[2012/05/22 23:31:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Apple Computer
[2012/05/22 23:21:13 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2012/05/22 23:01:05 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\admin\Desktop\aswMBR.exe
[2012/05/22 23:00:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\IObit
[2012/05/22 00:22:43 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/20 22:35:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/05/20 19:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\DLLSuite
[2012/05/19 14:34:46 | 000,000,000 | ---D | C] -- C:\Program Files\Dragon Internet
[2012/05/18 23:40:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/05/18 23:40:10 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/05/18 17:50:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AbiSuite
[2012/05/15 15:31:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalNet
[2012/05/15 15:31:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\FTL Shared
[2012/05/14 23:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Qualcomm
[2012/05/14 23:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Netscape
[2012/05/14 00:52:10 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2012/05/14 00:51:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 5
[2012/05/14 00:51:20 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2012/05/13 17:14:50 | 000,000,000 | ---D | C] -- C:\Windows\TempFA2B2319-FCE2-5246-1C6F-52F8D52354BF-Signatures
[2012/05/13 15:28:45 | 000,000,000 | ---D | C] -- C:\ProgramData\LocalNet
[2012/05/13 00:38:30 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2012/05/12 23:38:36 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software
[2012/05/12 22:22:54 | 000,000,000 | ---D | C] -- C:\Program Files\cfos6link
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/26 12:28:00 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/26 12:28:00 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/26 12:27:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/26 12:27:45 | 2950,524,928 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/26 00:36:20 | 000,044,786 | ---- | M] () -- C:\nettcpip.inf
[2012/05/26 00:07:21 | 000,483,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/05/26 00:03:14 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/25 23:36:55 | 000,001,595 | ---- | M] () -- C:\Users\admin\Desktop\WinBubbles.lnk
[2012/05/25 18:03:30 | 000,650,240 | ---- | M] () -- C:\Users\admin\Desktop\MicrosoftFixit50203.msi
[2012/05/25 18:03:30 | 000,650,240 | ---- | M] () -- C:\MicrosoftFixit50203.msi
[2012/05/25 17:19:43 | 000,612,040 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/05/25 17:19:43 | 000,106,810 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/05/25 15:32:38 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/05/25 12:07:27 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/05/24 20:53:30 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\admin\Desktop\HijackThis.exe
[2012/05/24 20:49:12 | 008,656,400 | ---- | M] (Trend Micro Inc.) -- C:\Users\admin\Desktop\RootkitBuster_v5_1061.exe
[2012/05/24 16:56:32 | 000,001,042 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2012/05/24 15:19:26 | 001,020,640 | ---- | M] () -- C:\Users\admin\Desktop\antirootkit.exe
[2012/05/24 00:35:54 | 000,302,592 | ---- | M] () -- C:\Users\admin\Desktop\8n2b1bum.exe
[2012/05/23 23:58:06 | 000,003,070 | ---- | M] () -- C:\Users\admin\Desktop\Attach.zip
[2012/05/23 23:37:49 | 000,000,000 | ---- | M] () -- C:\Users\admin\defogger_reenable
[2012/05/22 23:44:23 | 000,000,512 | ---- | M] () -- C:\Users\admin\Desktop\MBR.dat
[2012/05/22 23:01:33 | 000,000,680 | ---- | M] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/05/22 22:51:58 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\admin\Desktop\aswMBR.exe
[2012/05/22 21:26:00 | 000,475,712 | ---- | M] (McAfee, Inc.) -- C:\Users\admin\Desktop\rootkitremover.exe
[2012/05/19 14:35:01 | 000,000,614 | ---- | M] () -- C:\Windows\nsreg.dat
[2012/05/18 17:48:13 | 000,000,954 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/05/18 16:49:15 | 000,148,920 | ---- | M] () -- C:\Windows\hpoins19.dat
[2012/05/18 00:41:24 | 000,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.bak
[2012/05/14 23:54:22 | 000,000,335 | ---- | M] () -- C:\Windows\mozregistry.dat
[2012/05/14 00:51:51 | 000,001,076 | ---- | M] () -- C:\Users\Public\Desktop\Uninstaller.lnk
[2012/05/14 00:51:51 | 000,001,025 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare 5.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/26 00:37:45 | 000,044,786 | ---- | C] () -- C:\nettcpip.inf
[2012/05/25 23:36:55 | 000,001,595 | ---- | C] () -- C:\Users\admin\Desktop\WinBubbles.lnk
[2012/05/25 21:16:33 | 000,650,240 | ---- | C] () -- C:\MicrosoftFixit50203.msi
[2012/05/25 21:14:25 | 000,650,240 | ---- | C] () -- C:\Users\admin\Desktop\MicrosoftFixit50203.msi
[2012/05/24 22:09:19 | 2950,524,928 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/24 16:56:32 | 000,001,042 | ---- | C] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2012/05/24 15:23:04 | 001,020,640 | ---- | C] () -- C:\Users\admin\Desktop\antirootkit.exe
[2012/05/24 00:48:45 | 000,302,592 | ---- | C] () -- C:\Users\admin\Desktop\8n2b1bum.exe
[2012/05/23 23:53:52 | 000,003,070 | ---- | C] () -- C:\Users\admin\Desktop\Attach.zip
[2012/05/23 23:37:49 | 000,000,000 | ---- | C] () -- C:\Users\admin\defogger_reenable
[2012/05/22 23:44:23 | 000,000,512 | ---- | C] () -- C:\Users\admin\Desktop\MBR.dat
[2012/05/22 23:01:33 | 000,000,680 | ---- | C] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/05/22 17:45:19 | 000,001,699 | ---- | C] () -- C:\Windows\Notepad.lnk
[2012/05/18 16:44:48 | 000,001,983 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2012/05/14 23:54:22 | 000,000,335 | ---- | C] () -- C:\Windows\mozregistry.dat
[2012/05/14 00:51:51 | 000,001,076 | ---- | C] () -- C:\Users\Public\Desktop\Uninstaller.lnk
[2012/05/14 00:51:51 | 000,001,025 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare 5.lnk
[2012/05/13 17:18:13 | 000,001,837 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/04/30 21:51:02 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/01/15 15:46:06 | 000,483,240 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/31 16:57:55 | 000,012,908 | -HS- | C] () -- C:\ProgramData\ara327au0mpx25ws6q613p7wrvbho2wq2awry
[2011/11/21 14:52:35 | 000,118,784 | ---- | C] () -- C:\Windows\ShowBmp.exe
[2011/11/21 14:52:35 | 000,014,385 | ---- | C] () -- C:\Windows\Tw561a.ini
[2011/11/21 14:52:35 | 000,000,081 | ---- | C] () -- C:\Windows\Setup8a.ini
[2011/11/15 21:58:49 | 000,115,369 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat3
[2011/11/15 21:58:49 | 000,097,961 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat3
[2011/11/04 22:57:39 | 002,469,760 | ---- | C] () -- C:\Windows\System32\BootMan.exe
[2011/11/04 22:57:39 | 000,086,408 | ---- | C] () -- C:\Windows\System32\setupempdrv03.exe
[2011/11/04 22:57:39 | 000,019,840 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll
[2011/11/04 22:57:39 | 000,014,216 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys
[2011/11/04 22:57:39 | 000,008,456 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys
[2011/06/03 13:10:57 | 000,073,600 | ---- | C] () -- C:\Windows\System32\ezGOSvc.dll
[2011/05/28 16:04:33 | 000,747,592 | ---- | C] () -- C:\Windows\System32\pwNative.exe
[2011/05/28 16:04:32 | 000,016,472 | ---- | C] () -- C:\Windows\System32\pwdrvio.sys
[2011/05/28 16:04:02 | 000,011,104 | ---- | C] () -- C:\Windows\System32\pwdspio.sys
[2011/05/04 22:08:31 | 000,000,020 | ---- | C] () -- C:\Windows\cmm.dat
[2011/05/04 22:07:57 | 000,000,186 | ---- | C] () -- C:\Windows\System32\CleanMem.ini
[2010/07/03 18:07:57 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini

========== LOP Check ==========

[2012/05/22 23:00:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\IObit
[2012/05/23 01:14:44 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Opera
[2011/11/18 17:59:06 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Yandex
[2012/05/26 00:43:39 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2010/07/09 14:15:29 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Adobe
[2012/05/22 23:31:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Apple Computer
[2010/07/09 13:40:31 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\ATI
[2010/07/09 13:40:56 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\HP
[2010/07/09 13:39:12 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Identities
[2012/05/22 23:00:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\IObit
[2010/07/09 14:15:34 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Macromedia
[2012/05/22 23:21:13 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2006/11/02 08:37:34 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Media Center Programs
[2012/05/24 17:09:01 | 000,000,000 | --SD | M] -- C:\Users\admin\AppData\Roaming\Microsoft
[2012/05/23 01:14:44 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Opera
[2010/07/09 13:40:02 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Real
[2012/01/01 18:21:01 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Verizon Wireless
[2012/05/24 02:02:05 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\vlc
[2011/11/18 17:59:06 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Yandex

< MD5 for: ATAPI.SYS >
[2008/03/12 02:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2008/03/12 02:38:18 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/03/12 02:24:20 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

< MD5 for: CSRSS.EXE >
[2008/01/20 22:24:54 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=ABCA209EBA02CB59233614DB83B4F50D -- C:\Windows\System32\csrss.exe
[2008/01/20 22:24:54 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=ABCA209EBA02CB59233614DB83B4F50D -- C:\Windows\winsxs\x86_microsoft-windows-csrss_31bf3856ad364e35_6.0.6001.18000_none_58e3e3d7e415ae4c\csrss.exe

< MD5 for: EXPLORER.EXE >
[2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 23:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 22:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 22:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 22:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/12/21 03:24:52 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/12/21 03:24:52 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/12/21 03:24:52 | 000,715,216 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/12/21 03:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/12/21 03:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/12/21 03:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/11/07 23:02:58 | 001,036,344 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012/01/14 17:36:35 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012/01/14 17:36:35 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012/01/14 17:36:35 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/01/14 17:36:38 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2012/01/14 17:36:38 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ShowIconsCommand: "C:\Program Files\Opera\Opera.exe" /ShowIconsCommand [2012/05/12 21:45:30 | 000,949,104 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\HideIconsCommand: "C:\Program Files\Opera\Opera.exe" /HideIconsCommand [2012/05/12 21:45:30 | 000,949,104 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ReinstallCommand: "C:\Program Files\Opera\Opera.exe" /ReInstallBrowser [2012/05/12 21:45:30 | 000,949,104 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\shell\open\command\\: "C:\Program Files\Opera\Opera.exe" [2012/05/12 21:45:30 | 000,949,104 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2010/06/04 13:15:16 | 002,387,768 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2010/06/04 13:15:16 | 002,387,768 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2010/06/04 13:15:16 | 002,387,768 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2010/06/04 13:15:16 | 002,387,768 | ---- | M] (Apple Inc.)

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:2D6E5D55
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:ECF54A0E
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:E7833B2E
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:1EE5EBCB
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >
  • 0

#4
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Here are the contents of Extras.txt:

OTL Extras logfile created on: 5/26/2012 12:34:41 PM - Run 1
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\admin\Desktop\OTL
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.90 Gb Available Physical Memory | 69.19% Memory free
5.70 Gb Paging File | 4.93 Gb Available in Paging File | 86.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 2.24 Gb Free Space | 1.52% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.91 Gb Free Space | 54.21% Space Free | Partition Type: FAT32

Computer Name: RNT-PC | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2875643067-1621112102-2647771907-1000]
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0294BB2F-6178-459D-8C46-8D1C40D6AD6B}" = rport=445 | protocol=6 | dir=out | app=system |
"{057550CC-1C7E-4C7B-A2F8-3A8DDC978C8C}" = lport=138 | protocol=17 | dir=in | app=system |
"{08E024BB-596A-4DFF-A430-159062EB67CE}" = lport=10243 | protocol=6 | dir=in | app=system |
"{19A5737B-0BEE-43C8-BCD3-3CC714AA4FD3}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{25B9D31D-64EC-44F5-900B-17177C3E5D3C}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{295EF879-34FC-4A05-A484-51AA1443280E}" = lport=445 | protocol=6 | dir=in | app=system |
"{2FA65B31-3A9D-4C20-AFC6-469495F0EF44}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4084E937-EAAA-47EE-9520-7BE7CE434C09}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4BF5EB07-06A2-40E2-B5B6-244EF5C49A0F}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{5456EA1E-AF45-48BD-9C96-AB99A6CCF1D9}" = lport=139 | protocol=6 | dir=in | app=system |
"{6364B77A-8796-4078-B3CC-5963A3E70B4F}" = rport=139 | protocol=6 | dir=out | app=system |
"{6EFD3216-D4DB-448C-81DA-E8838C66FFD2}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7C7BD74E-D59D-40F9-8481-A74C4729E9DD}" = rport=138 | protocol=17 | dir=out | app=system |
"{86444BB3-291D-4D31-A046-BB4AA3243C28}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AF8150A9-8B4A-4262-900E-D368942052B3}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE10AB93-C4A6-464B-BE93-069E778BFF99}" = rport=10243 | protocol=6 | dir=out | app=system |
"{C232D951-55E7-4D04-9346-F88A07FC0B22}" = lport=137 | protocol=17 | dir=in | app=system |
"{C428A183-FD79-40B5-990D-895328F43AC8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{CF0676E6-E2EC-438A-9741-7029DEBD00CE}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F534D21D-02A4-4E48-A237-A3745ED5E6D3}" = rport=137 | protocol=17 | dir=out | app=system |
"{F9C1EEE5-72B7-40C6-BC7C-64E9DF7DEB39}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{003C7A18-60D9-4C89-94D8-DE42C1AA1D76}" = protocol=58 | dir=in | [email protected],-28545 |
"{02A4D600-582A-4C14-ADFE-C125CF0CB18F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473D86F-6F04-46A3-9153-CD04272511DC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4849799C-D8E9-4360-8F9A-6B5F2BCC7EA4}" = protocol=1 | dir=in | [email protected],-28543 |
"{56E808A1-BFD0-4B79-B567-B9FA848D697F}" = protocol=1 | dir=out | [email protected],-28544 |
"{61FB8AD2-C831-45AB-9DFB-D685C3A8300D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{62F27534-2769-4D2F-B42F-E96E62F64F44}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{65901CFC-D156-4C8F-90EA-C26D256CA195}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{68F6992D-6E9D-4F14-88EC-3E0B8BEC7EFF}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8642AF85-31DC-4BB3-8E9D-1E478C224084}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5589677-56C4-46C1-A86B-1F0B5425786F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AB3FBA72-52C3-4476-9A38-230DBE05659B}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BC7833D1-AE4B-4CAB-BDD5-6EA587E5C763}" = protocol=6 | dir=out | app=system |
"{CE504808-152F-4073-8BB9-0F8E7C4D30C6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D3648D1D-2BA3-4973-9B7E-EDC907B6E342}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E8715BB0-E132-4617-B344-62E03BFE2C1C}" = protocol=58 | dir=out | [email protected],-28546 |
"{E926E57D-011D-4F63-BCC5-FFCFDC28D091}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EFA98652-B437-42AA-B7D3-EFFD71ED4ECD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F7DCF881-DB9D-4779-8D1C-CCCBAC7C73FF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{067B277E-F94B-4F04-B380-BA967C00377C}_is1" = MiniTool Partition Wizard Home Edition 6.0
"{07C9627A-CA0B-2AA2-062E-204359DF7BA1}" = Catalyst Control Center Core Implementation
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D2E9DCB-9938-475E-B4DD-8851738852FF}" = AIO_Scan
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{0EFB2016-41D2-5F30-8F60-25250F6DABDD}" = CCC Help Thai
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{14894C07-EDA7-4919-A22B-98C665DF64C0}" = AlterGeo Magic Scanner
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1E57A11B-AB65-C6D1-F999-B3B37AB2298E}" = Catalyst Control Center Localization Japanese
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22DD005D-0EF1-4E3E-92F8-49D89E31479A}" = 1400
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 24
"{27265B80-303E-EFFF-6052-B11F91B634C3}" = Catalyst Control Center Localization Italian
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2920435D-CE92-5024-1694-DFD43A5FF074}" = Catalyst Control Center Localization Greek
"{2CD6D3D2-1EFC-F0B4-1761-FD4FA7F8750F}" = CCC Help Finnish
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160060}" = Java™ 6 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{356D81B3-40C7-4669-9A4C-9AB31265409A}" = A Ruler for Windows
"{358004B9-3A16-87FF-4487-4D6F0C70E52F}" = Catalyst Control Center Localization Russian
"{38A3E884-313A-7AE0-11BC-482DE0C8766A}" = CCC Help Czech
"{39C4C6DE-641B-483F-B875-2AEDF0FB85CA}_is1" = Rampant Logic Postscript Viewer 1.1
"{3A8FE746-19BA-4168-8D01-D45897C7310E}" = VZAccess Manager
"{3BB12DBC-0A8E-ECE2-F179-D06B99B8CD02}" = Catalyst Control Center Localization Czech
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3E0E28DC-DA90-1BA2-FA36-AA3C2E4FB74A}" = Catalyst Control Center Graphics Previews Vista
"{3EE51BAD-9916-49C7-90BA-3D500B031E0C}_is1" = VSO Image Resizer 2.2.2.1
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Netwaiting
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{4C90501F-864B-5AC4-867D-6AC35BE50721}" = ccc-utility
"{4F94119D-1B71-400e-9F04-B4E5CEAE71F8}_is1" = Sothink Movie DVD Maker
"{55398A75-13E0-570F-BD16-2EE5D9E5523D}" = Catalyst Control Center Localization Norwegian
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F131988-3326-AD64-1817-D76A2FE3C2D3}" = CCC Help Chinese Traditional
"{5FBF37CD-B7F9-564C-BDFC-73D970CF7AF2}" = CCC Help Italian
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{61C63422-E5E2-8576-2B82-0E01F5AD2538}" = CCC Help English
"{61F90A4F-AD49-7FFB-F027-5B2CB64F0A70}" = Catalyst Control Center Graphics Light
"{629044C7-745A-64B8-467F-2F93ED50008B}" = CCC Help Chinese Standard
"{65BF23C0-4EF9-27CC-7B6F-190F4008A569}" = Catalyst Control Center Localization Polish
"{65D602E4-DCDE-0743-6A0A-F1A203449F47}" = CCC Help German
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6752B76F-C082-43EE-9DDF-48BFC3B0378B}_is1" = DriveRestore Professional 3.1.2
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69E5255D-9D43-4CFF-8984-843ABD7753B7}" = Catalyst Control Center - Branding
"{6A3C2391-BCE2-4D28-A336-73B953B4502F}" = 1400Trb
"{6B4874CA-13CF-2477-B697-B448201B56B6}" = CCC Help Norwegian
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6EB0B23B-AA51-6F4E-C94C-C1015ED61EEC}" = CCC Help Japanese
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{6FBE200D-1F00-40B7-BF48-FEB265AADE94}" = 1400_Help
"{70495081-1DC8-AD4B-C197-12138B8FBC9E}" = CCC Help Danish
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71B929E2-3556-93DB-DEC0-FD56D3EFB473}" = Catalyst Control Center Localization Chinese Traditional
"{71C47830-182D-79FA-0790-0366E6E2C2EB}" = Catalyst Control Center Localization Spanish
"{73B52EA8-8A5C-4FF5-A9F2-1A0F3259C3D2}" = TOSHIBA Application Disc Creator
"{73C6DCFB-B606-47F3-BDFA-9A4FBF931E37}" = ICQ7.4
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{77CAD946-C573-6647-B222-B6870C072932}" = CCC Help Korean
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E83516C-931B-870F-5CDF-01FDF9A4AEF0}" = Catalyst Control Center Localization Turkish
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82A7E9C3-D3F3-4B85-9AC3-D0E011D19E50}_is1" = RedNotebook 1.1.1
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{85E8C3B0-4413-4556-A207-6E37962ADF0A}" = Evolution
"{86728841-C151-B8E4-43C6-DD289DE570B6}" = Catalyst Control Center Localization Swedish
"{86DBA852-5D5E-1856-D828-620E792EDC0D}" = Catalyst Control Center Localization Chinese Standard
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{88BA2601-8A62-7AB7-DB8A-7AA2840B7C87}" = Catalyst Control Center Localization Thai
"{890EF3F8-742F-46BD-9E8E-084B3A1F4364}" = QuickBooks Financial Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B587895-7716-1B99-5D85-3CA4AAF8A0F4}" = Catalyst Control Center Localization Dutch
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8D6B93AF-E2C0-4461-A515-2D79D53DA7FC}" = NETEagle
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9244F321-0BBD-9D4A-C1FB-6437E3D0550D}" = Catalyst Control Center Localization German
"{93F3EBDD-4007-C233-7320-977AC0941054}" = CCC Help Turkish
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{94AB6CE0-DB26-7048-2A5B-4647EA1FC693}" = ccc-core-static
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{954F21D6-6487-4E8A-A7C2-30DFAAD9BEE0}_is1" = DLL Suite 1.0
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A103C127-2168-4493-8D01-4BF180BED12C}" = CCC Help Portuguese
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}" = Copy
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC2BA148-EE9C-4F1A-AFCE-F38C2C71D29B}" = Mobile Broadband Generic Drivers
"{AC2EE52D-05CD-8140-5D29-5AA29590971E}" = CCC Help French
"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari
"{B02A78AE-EA3B-8261-AEBC-8221E22DCC1E}" = CCC Help Polish
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1D67B62-35A8-A9A1-AA74-F6A495C8271A}" = Catalyst Control Center Localization Danish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B28759B8-5FC6-4F56-9C6C-6EDAD36455A9}" = Roxio Media Manager
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B68ED296-D899-4573-AFFC-D3F6904785D4}" = HP Driver Diagnostics
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC2EA92A-A5A9-A137-5204-F150EDB05DB3}" = CCC Help Hungarian
"{BC713970-8C3C-852B-4139-636F21114B7F}" = CCC Help Dutch
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{C5F1A9C4-C041-2E95-5D7E-EF56CED2B522}" = Skins
"{C6E52B1B-9905-469A-B8CD-399FDFA98873}" = MIT MathML Fonts 1.0
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}" = HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"{D7CC05AF-067D-0D1A-1E4D-9DCBCDCC2D41}" = Catalyst Control Center Graphics Full New
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{E06F04B9-45E6-4AC0-8083-85F7515F40F7}" = UnloadSupport
"{E09575B2-498D-4C8B-A9D2-623F78574F29}" = AIO_CDB_Software
"{E0FC3A5D-CF52-ABA7-92EF-D9794F372121}" = Catalyst Control Center Graphics Full Existing
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{EA7D1919-A6BF-979A-E3A2-F753E23D45FA}" = Catalyst Control Center Localization Hungarian
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{ED2BC5D9-20EE-FBB6-8483-240F19EFCAA5}" = CCC Help Swedish
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0345A2F-1D78-0AEA-7CBB-CEF48622EB44}" = Catalyst Control Center Localization Portuguese
"{F0646787-1A2F-34E9-A61D-9DAD69F606F8}" = CCC Help Spanish
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F362902D-BC94-4187-8960-3B51F55B2EB0}" = Verizon Wireless USB760 Firmware Updates
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}" = Philips PC Camera
"{F50E4D66-5280-FDF8-7F55-2E47FCF23E7D}" = Catalyst Control Center Localization Korean
"{F67E6AE5-F87B-025F-2D6B-26491304393F}" = CCC Help Russian
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9DAAC4B-5E3F-1D39-9D4B-6998664EF402}" = Catalyst Control Center Localization Finnish
"{F9F66B99-C1B3-ACEA-1F80-404CC4DD96BF}" = Catalyst Control Center Localization French
"{FA493449-3E34-4E05-8CA7-26A42E9F180E}" = CCC Help Greek
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"7-Zip" = 7-Zip 9.20
"AbiWord2" = AbiWord 2.6.4
"AbiwordIEPlugins" = AbiWord Importer/Exporter Plugins
"AbiwordToolsPlugins" = AbiWord Tools Plugins
"AC970D9B-E5C8-44D8-910B-D763DDF6D32A_is1" = Chrysanth Diary [Free]
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 5_is1" = Advanced SystemCare 5
"Alarm Clock_is1" = Alarm Clock v1.0
"AviSynth" = AviSynth 2.5
"Bandwidth Monitor_is1" = Bandwidth Monitor
"BlackBerry_{CE5E3F15-320A-4865-97D3-F07227C5BB2F}" = BlackBerry Desktop Software 4.5
"BurnAware Free_is1" = BurnAware Free 4.4
"BurnWorld.Com BurnOn CD&DVD_is1" = BurnOn CD&DVD, Version 3.1.0 ( Build 2007-4-2, Win32, )
"CCleaner" = CCleaner
"CleanMem" = CleanMem
"CNXT_MODEM_USB_ACF" = USB Modem
"CopyTrans Suite" = CopyTrans Suite Remove Only
"DiskAid_is1" = DiskAid 4.1
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Dragon Internet" = Dragon Internet
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 9.1.0 Home Edition
"FastStone Photo Resizer" = FastStone Photo Resizer 2.8
"ffdshow_is1" = ffdshow [rev 2583] [2009-01-05]
"Free Videos To DVD_is1" = Free Videos To DVD V 3.2.0
"Free Window Registry Repair" = Free Window Registry Repair
"FreeNotes2_is1" = Free Notes 3.02
"Google Chrome" = Google Chrome
"GPL Ghostscript_is1" = Docudesk GPL Ghostscript 8.15
"HaaliMkx" = Haali Media Splitter
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}" = Memeo AutoBackup
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"InstallWIX_{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Anti-Virus 2011
"IrfanView" = IrfanView (remove only)
"KeepNote_is1" = KeepNote 0.7.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mobile Broadband Generic Drivers" = Mobile Broadband Generic Drivers
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Opera 11.64.1403" = Opera 11.64
"OptiNet" = OptiNet (remove only)
"Pamela" = Pamela Basic 4.6
"PDF reDirect" = PDF reDirect (remove only)
"Picasa 3" = Picasa 3
"Picture Resize_is1" = Free Picture Resize Starter 4.5
"PROHYBRIDR" = 2007 Microsoft Office system
"RealPlayer 15.0" = RealPlayer
"Smart DVD Creator_is1" = Smart DVD Creator
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"TreePadLite4" = TreePad Lite 4.3
"VLC media player" = VLC media player 1.1.11
"WildTangent toshiba Master Uninstall" = TOSHIBA Games
"WinDjView" = WinDjView 1.0.3
"WinImage" = WinImage
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"WinBubble" = WinBubble

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/26/2012 12:54:43 PM | Computer Name = jeo-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:54:48 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:54:53 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:54:58 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:03 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:08 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:14 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:19 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:24 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

Error - 5/26/2012 12:55:29 PM | Computer Name = RNT-PC | Source = WcesComm | ID = 7
Description = Windows Mobile-based device failed to connect due to Fatal (0x80004005)
failure (see data for failure code).

[ System Events ]
Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7024
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 5/26/2012 12:29:24 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 5/26/2012 12:30:33 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 5/26/2012 12:33:33 PM | Computer Name = RNT-PC | Source = Service Control Manager | ID = 7034
Description =


< End of report >
  • 0

#5
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Thanks again for your welcome and your help.

I suspect that Zeroaccess still lives even though I thought I got rid of it. Just today I found that I now have to confirm as administrator to save objects to my own desktop.
  • 0

#6
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,202 posts
Why do you think it was ZA?
What A/V are you running?
  • 0

#7
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
I'll give you a little history. I think the virus struck in November 2011 and the system became very unstable and I had internet problems then. I used both Kaspersky AV (paid) and AVG Antivirus (free)to finally get the system back to a useable condition. I thought that I had erradicated the virus, but I now believe that it was still there dormant until I installed some clean software a couple of weeks ago. Then in the flash of an eye, my computer was disconnected from the internet. It's not exactly disconnected because I'm able to connect ok, but somehow Windows doesn't know that it is connected. Technical support at my isp walked me through all the obvious ways and some not-so-obvious ways to resolve connection problems. In the end, they gave up and said that I have some kind of a problem with Windows.

Since this last attack, I have run numerous antivirus/antimalware tools - AVG antivirus, MicroSoft Security Essentials, Spybot, Ad Aware, Malwarebytes, Trend Micro Rootkitbuster, Kaspersky rootkit tool, etc. Combofix said that it was Zeroaccess and that my TCP/IP stack is infected. But I may have multiple infections because both the Trend Micro and Kaspersky tools found threats as recently as yesterday. I tried to run the McAfee tool, but it wouldn't run (something about not having access even though I ran it in administrator mode). Basically I threw everything at it except the kitchen sink, but I still have problems.

I have reached the limit of my abilities, and that is what brought me here.

Edited by winvista, 26 May 2012 - 04:39 PM.

  • 0

#8
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,202 posts
Did you lose internet connectivity after running IOBit Advanced SystemCare?

Firstly...
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\jeo\AppData\Local\Temp\mfe_rr.sys -- (MFE_RR)
    
    :Commands
    [purity]
    [emptytemp]
    
    [Reboot]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Next...
Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#9
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Thanks so much. I will run these scans presently. I did not lose internet connectivity due to any scan. I lost internet connectivity when I installed a dialing program from my isp which I now believe triggered a dormant rootkit. I have this same dialing program running on the computer from which I am posting without any problems at all. I spent 2 hours on the phone with technical support after which they concluded that I had more going on than just some settings not set correctly.
  • 0

#10
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Latest OTL Scan:

OTL logfile created on: 5/27/2012 2:27:54 PM - Run 3
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\admin\Desktop\OTL
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 62.45% Memory free
5.70 Gb Paging File | 4.75 Gb Available in Paging File | 83.32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 2.80 Gb Free Space | 1.90% Space Free | Partition Type: NTFS
Drive D: | 3.52 Gb Total Space | 1.90 Gb Free Space | 54.05% Space Free | Partition Type: FAT32

Computer Name: RNT-PC | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/25 21:37:04 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL\OTL.exe
PRC - [2012/03/14 17:38:14 | 000,913,752 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
PRC - [2012/03/12 18:59:50 | 000,342,872 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\DelayLoad.exe
PRC - [2011/11/14 22:18:45 | 000,386,448 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\ACFXAU32.exe
PRC - [2011/11/14 22:18:44 | 000,124,000 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
PRC - [2011/11/14 22:18:43 | 000,424,928 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2011/11/14 22:18:43 | 000,074,276 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2011/11/14 22:18:37 | 000,038,672 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/04/24 16:03:12 | 000,430,080 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
PRC - [2008/04/17 03:21:24 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2008/04/17 03:19:16 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2008/04/08 18:14:50 | 006,037,504 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/10 22:43:26 | 000,138,072 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll
MOD - [2008/09/16 21:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/04/23 01:05:08 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2006/12/11 00:51:08 | 000,077,824 | R--- | M] () -- C:\Program Files\Hp\Digital Imaging\bin\crm\xmltok.dll
MOD - [2006/12/11 00:51:08 | 000,065,536 | R--- | M] () -- C:\Program Files\Hp\Digital Imaging\bin\crm\xmlparse.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2012/04/30 21:51:00 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/03/14 17:38:14 | 000,913,752 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/11/14 22:18:45 | 000,386,448 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\ACFXAU32.exe -- (XAudioService)
SRV - [2011/11/14 22:18:44 | 000,124,000 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2011/11/14 22:18:43 | 000,424,928 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2011/11/14 22:18:43 | 000,074,276 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2011/11/14 22:18:42 | 000,145,128 | ---- | M] () [Auto | Stopped] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2011/11/14 22:18:42 | 000,057,480 | ---- | M] () [Disabled | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2011/11/14 22:18:37 | 000,038,672 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2011/05/28 18:56:18 | 000,073,600 | ---- | M] () [Auto | Running] -- C:\Windows\System32\ezGOSvc.dll -- (ezGOSvc)
SRV - [2008/04/16 18:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/01/29 13:09:58 | 000,165,416 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 18:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 18:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\admin\AppData\Local\Temp\mfe_rr.sys -- (MFE_RR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [File_System | System | Stopped] -- system32\DRIVERS\klif.sys -- (KLIF)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys -- (IO_Memory)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/07/29 13:54:56 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\epmntdrv.sys -- (epmntdrv)
DRV - [2011/07/29 13:54:56 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2011/05/06 14:30:00 | 000,016,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdrvio.sys -- (pwdrvio)
DRV - [2011/05/06 14:29:50 | 000,011,104 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\pwdspio.sys -- (pwdspio)
DRV - [2010/06/23 10:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2010/06/09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kl1.sys -- (KL1)
DRV - [2009/12/18 12:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 12:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 12:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2009/11/02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/07/29 06:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/28 19:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/04/23 03:36:32 | 003,551,232 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/04/11 00:25:30 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/18 12:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/14 14:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/07/10 04:13:38 | 000,028,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ACFDCP32.sys -- (dgcfltr)
DRV - [2007/07/10 04:13:32 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\ACFXAU32.sys -- (XAudio)
DRV - [2007/06/29 06:39:46 | 000,086,656 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ACFVA32.sys -- (acfva)
DRV - [2007/03/15 05:52:34 | 000,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\ACFSDK32.sys -- (mdmxsdk)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2006/10/30 14:23:12 | 000,007,680 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)
DRV - [2002/10/01 15:43:32 | 000,119,798 | ---- | M] (SP) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\spca561.sys -- (CA561)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {5413DC04-8E8C-4D0A-B988-D5786D662FD9}
IE - HKLM\..\SearchScopes\{5413DC04-8E8C-4D0A-B988-D5786D662FD9}: "URL" = http://www.google.co...ge={startPage};
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2117678

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKCU\..\SearchScopes,DefaultScope = {5413DC04-8E8C-4D0A-B988-D5786D662FD9}
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}
IE - HKCU\..\SearchScopes\{93462E4E-B91F-4B9A-8184-4E527B169A32}: "URL" = http://us.yhs.search...p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/15 20:57:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/15 19:06:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/15 20:58:28 | 000,000,000 | ---D | M]

[2012/01/15 02:32:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/17 11:18:47 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/15 21:59:53 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]_bak
[2011/12/21 03:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/02/11 15:16:16 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2011/02/02 22:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/05/14 01:06:53 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2010/08/02 09:27:02 | 000,002,226 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2011/12/21 00:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 00:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

O1 HOSTS File: ([2012/05/25 12:07:27 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {8984B388-A5BB-4DF7-B274-77B879E179DB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - Reg Error: Key error. File not found
O9 - Extra Button: ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Program Files\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.4 - {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Program Files\ICQ7.4\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - Reg Error: Key error. File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\Windows\system32\klogon.dll) - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/27 11:42:19 | 000,475,712 | ---- | C] (McAfee, Inc.) -- C:\rootkitremover.exe
[2012/05/27 11:40:22 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\asw
[2012/05/27 11:21:34 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/05/26 12:29:41 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\OTL
[2012/05/25 23:39:40 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\WindowsForUs
[2012/05/25 23:36:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinBubble
[2012/05/25 23:36:53 | 000,000,000 | ---D | C] -- C:\Program Files\WinBubble
[2012/05/25 17:19:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\tp
[2012/05/25 16:15:56 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/05/25 16:12:59 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\temp
[2012/05/25 16:12:21 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/05/25 15:28:52 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/05/25 00:31:05 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/24 22:11:54 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\log
[2012/05/24 22:11:48 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\TMRBLog
[2012/05/24 21:38:10 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\backups
[2012/05/24 21:31:41 | 008,656,400 | ---- | C] (Trend Micro Inc.) -- C:\Users\admin\Desktop\RootkitBuster_v5_1061.exe
[2012/05/24 21:31:35 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\admin\Desktop\HijackThis.exe
[2012/05/24 15:23:41 | 000,000,000 | ---D | C] -- C:\Users\admin\Pavark
[2012/05/24 11:30:09 | 000,475,712 | ---- | C] (McAfee, Inc.) -- C:\Users\admin\Desktop\rootkitremover.exe
[2012/05/24 02:45:57 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Microsoft Games
[2012/05/23 01:14:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Opera
[2012/05/23 01:14:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Local\Opera
[2012/05/22 23:33:21 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\vlc
[2012/05/22 23:31:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Apple Computer
[2012/05/22 23:21:13 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2012/05/22 23:01:05 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\admin\Desktop\aswMBR.exe
[2012/05/22 23:00:55 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\IObit
[2012/05/22 00:22:43 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/20 22:35:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/05/20 19:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\DLLSuite
[2012/05/19 14:34:46 | 000,000,000 | ---D | C] -- C:\Program Files\Dragon Internet
[2012/05/18 23:40:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/05/18 23:40:10 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/05/18 17:50:44 | 000,000,000 | ---D | C] -- C:\Users\admin\AbiSuite
[2012/05/15 15:31:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalNet
[2012/05/15 15:31:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\FTL Shared
[2012/05/14 23:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Qualcomm
[2012/05/14 23:54:22 | 000,000,000 | ---D | C] -- C:\Program Files\Netscape
[2012/05/14 00:52:10 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2012/05/14 00:51:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 5
[2012/05/14 00:51:20 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2012/05/13 17:14:50 | 000,000,000 | ---D | C] -- C:\Windows\TempFA2B2319-FCE2-5246-1C6F-52F8D52354BF-Signatures
[2012/05/13 15:28:45 | 000,000,000 | ---D | C] -- C:\ProgramData\LocalNet
[2012/05/13 00:38:30 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2012/05/12 23:38:36 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software
[2012/05/12 22:22:54 | 000,000,000 | ---D | C] -- C:\Program Files\cfos6link

========== Files - Modified Within 30 Days ==========

[2012/05/27 14:23:43 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/27 14:23:43 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/27 14:23:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/27 14:23:28 | 2950,524,928 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/27 14:16:40 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\admin\Desktop\aswMBR.exe
[2012/05/27 00:03:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/26 23:08:18 | 000,302,592 | ---- | M] () -- C:\Users\admin\Desktop\1vg7ccn1.exe
[2012/05/26 20:44:14 | 000,650,240 | ---- | M] () -- C:\Users\admin\Desktop\MicrosoftFixit50203.msi
[2012/05/26 00:36:20 | 000,044,786 | ---- | M] () -- C:\nettcpip.inf
[2012/05/26 00:07:21 | 000,483,240 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/05/25 23:36:55 | 000,001,595 | ---- | M] () -- C:\Users\admin\Desktop\WinBubbles.lnk
[2012/05/25 18:03:30 | 000,650,240 | ---- | M] () -- C:\MicrosoftFixit50203.msi
[2012/05/25 17:19:43 | 000,612,040 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/05/25 17:19:43 | 000,106,810 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/05/25 15:32:38 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/05/25 12:07:27 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/05/24 20:53:30 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\admin\Desktop\HijackThis.exe
[2012/05/24 20:49:12 | 008,656,400 | ---- | M] (Trend Micro Inc.) -- C:\Users\admin\Desktop\RootkitBuster_v5_1061.exe
[2012/05/24 16:56:32 | 000,001,042 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2012/05/24 15:19:26 | 001,020,640 | ---- | M] () -- C:\Users\admin\Desktop\antirootkit.exe
[2012/05/24 00:35:54 | 000,302,592 | ---- | M] () -- C:\Users\admin\Desktop\8n2b1bum.exe
[2012/05/23 23:58:06 | 000,003,070 | ---- | M] () -- C:\Users\admin\Desktop\Attach.zip
[2012/05/23 23:37:49 | 000,000,000 | ---- | M] () -- C:\Users\admin\defogger_reenable
[2012/05/22 23:44:23 | 000,000,512 | ---- | M] () -- C:\Users\admin\Desktop\MBR1.dat
[2012/05/22 23:01:33 | 000,000,680 | ---- | M] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/05/22 21:26:00 | 000,475,712 | ---- | M] (McAfee, Inc.) -- C:\Users\admin\Desktop\rootkitremover.exe
[2012/05/22 21:26:00 | 000,475,712 | ---- | M] (McAfee, Inc.) -- C:\rootkitremover.exe
[2012/05/19 14:35:01 | 000,000,614 | ---- | M] () -- C:\Windows\nsreg.dat
[2012/05/18 17:48:13 | 000,000,954 | ---- | M] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/05/18 16:49:15 | 000,148,920 | ---- | M] () -- C:\Windows\hpoins19.dat
[2012/05/18 00:41:24 | 000,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.bak
[2012/05/14 23:54:22 | 000,000,335 | ---- | M] () -- C:\Windows\mozregistry.dat
[2012/05/14 00:51:51 | 000,001,076 | ---- | M] () -- C:\Users\Public\Desktop\Uninstaller.lnk
[2012/05/14 00:51:51 | 000,001,025 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare 5.lnk

========== Files Created - No Company Name ==========

[2012/05/26 23:27:55 | 000,302,592 | ---- | C] () -- C:\Users\admin\Desktop\1vg7ccn1.exe
[2012/05/26 00:37:45 | 000,044,786 | ---- | C] () -- C:\nettcpip.inf
[2012/05/25 23:36:55 | 000,001,595 | ---- | C] () -- C:\Users\admin\Desktop\WinBubbles.lnk
[2012/05/25 21:16:33 | 000,650,240 | ---- | C] () -- C:\MicrosoftFixit50203.msi
[2012/05/25 21:14:25 | 000,650,240 | ---- | C] () -- C:\Users\admin\Desktop\MicrosoftFixit50203.msi
[2012/05/24 22:09:19 | 2950,524,928 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/24 16:56:32 | 000,001,042 | ---- | C] () -- C:\Users\admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2012/05/24 15:23:04 | 001,020,640 | ---- | C] () -- C:\Users\admin\Desktop\antirootkit.exe
[2012/05/24 00:48:45 | 000,302,592 | ---- | C] () -- C:\Users\admin\Desktop\8n2b1bum.exe
[2012/05/23 23:53:52 | 000,003,070 | ---- | C] () -- C:\Users\admin\Desktop\Attach.zip
[2012/05/23 23:37:49 | 000,000,000 | ---- | C] () -- C:\Users\admin\defogger_reenable
[2012/05/22 23:44:23 | 000,000,512 | ---- | C] () -- C:\Users\admin\Desktop\MBR1.dat
[2012/05/22 23:01:33 | 000,000,680 | ---- | C] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/05/22 17:45:19 | 000,001,699 | ---- | C] () -- C:\Windows\Notepad.lnk
[2012/05/18 16:44:48 | 000,001,983 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2012/05/14 23:54:22 | 000,000,335 | ---- | C] () -- C:\Windows\mozregistry.dat
[2012/05/14 00:51:51 | 000,001,076 | ---- | C] () -- C:\Users\Public\Desktop\Uninstaller.lnk
[2012/05/14 00:51:51 | 000,001,025 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare 5.lnk
[2012/05/13 17:18:13 | 000,001,837 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/04/30 21:51:02 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/01/15 15:46:06 | 000,483,240 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/31 16:57:55 | 000,012,908 | -HS- | C] () -- C:\ProgramData\ara327au0mpx25ws6q613p7wrvbho2wq2awry
[2011/11/21 14:52:35 | 000,118,784 | ---- | C] () -- C:\Windows\ShowBmp.exe
[2011/11/21 14:52:35 | 000,014,385 | ---- | C] () -- C:\Windows\Tw561a.ini
[2011/11/21 14:52:35 | 000,000,081 | ---- | C] () -- C:\Windows\Setup8a.ini
[2011/11/15 21:58:49 | 000,115,369 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat3
[2011/11/15 21:58:49 | 000,097,961 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat3
[2011/11/04 22:57:39 | 002,469,760 | ---- | C] () -- C:\Windows\System32\BootMan.exe
[2011/11/04 22:57:39 | 000,086,408 | ---- | C] () -- C:\Windows\System32\setupempdrv03.exe
[2011/11/04 22:57:39 | 000,019,840 | ---- | C] () -- C:\Windows\System32\EuEpmGdi.dll
[2011/11/04 22:57:39 | 000,014,216 | ---- | C] () -- C:\Windows\System32\epmntdrv.sys
[2011/11/04 22:57:39 | 000,008,456 | ---- | C] () -- C:\Windows\System32\EuGdiDrv.sys
[2011/06/03 13:10:57 | 000,073,600 | ---- | C] () -- C:\Windows\System32\ezGOSvc.dll
[2011/05/28 16:04:33 | 000,747,592 | ---- | C] () -- C:\Windows\System32\pwNative.exe
[2011/05/28 16:04:32 | 000,016,472 | ---- | C] () -- C:\Windows\System32\pwdrvio.sys
[2011/05/28 16:04:02 | 000,011,104 | ---- | C] () -- C:\Windows\System32\pwdspio.sys
[2011/05/04 22:08:31 | 000,000,020 | ---- | C] () -- C:\Windows\cmm.dat
[2011/05/04 22:07:57 | 000,000,186 | ---- | C] () -- C:\Windows\System32\CleanMem.ini
[2010/07/03 18:07:57 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini

========== LOP Check ==========

[2012/05/22 23:00:55 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\IObit
[2012/05/23 01:14:44 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Opera
[2011/11/18 17:59:06 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Yandex
[2012/05/27 11:22:21 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:2D6E5D55
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:ECF54A0E
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:E7833B2E
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:1EE5EBCB
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >
  • 0

Advertisements


#11
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
aswMBR scan:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-27 14:35:15
-----------------------------
14:35:15.364 OS Version: Windows 6.0.6002 Service Pack 2
14:35:15.364 Number of processors: 2 586 0x301
14:35:15.364 ComputerName: RNT-PC UserName: admin
14:35:17.486 Initialize success
14:35:41.063 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:35:41.078 Disk 0 Vendor: TOSHIBA_MK1652GSX LV010M Size: 152627MB BusType: 3
14:35:41.094 Disk 0 MBR read successfully
14:35:41.094 Disk 0 MBR scan
14:35:41.094 Disk 0 Windows VISTA default MBR code
14:35:41.125 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
14:35:41.141 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 151125 MB offset 3074048
14:35:41.141 Disk 0 scanning sectors +312579760
14:35:41.219 Disk 0 scanning C:\Windows\system32\drivers
14:36:01.249 Service scanning
14:36:40.296 Modules scanning
14:37:01.949 Disk 0 trace - called modules:
14:37:01.980 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
14:37:01.980 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8787b258]
14:37:01.995 3 CLASSPNP.SYS[8c16c8b3] -> nt!IofCallDriver -> [0x8782a918]
14:37:01.995 5 acpi.sys[83e0d6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x87862b98]
14:37:02.011 Scan finished successfully
14:38:01.207 Disk 0 MBR has been saved successfully to "D:\Win32\Sunday272912\aswMBR\MBR.dat"
14:38:01.239 The log file has been saved successfully to "D:\Win32\Sunday272912\aswMBR\aswMBR.txt"
  • 0

#12
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,202 posts

I lost internet connectivity when I installed a dialing program from my isp which I now believe triggered a dormant rootkit.

I doubt it, it's almost certainly to do with the dialing program. Probably because there was already some damage

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\jeo\AppData\Local\Temp\mfe_rr.sys -- (MFE_RR)
    
    :Commands
    [purity]
    [emptytemp]
    
    [Reboot]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done if requested
  • Post the log it produces in your next reply.

  • 0

#13
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
Here is the result:

All processes killed
========== OTL ==========
Service MFE_RR stopped successfully!
Service MFE_RR deleted successfully!
File C:\Users\jeo\AppData\Local\Temp\mfe_rr.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Bolo
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Bolo2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Opera cache emptied: 0 bytes

User: jeo
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 78489 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1413120 bytes

Total Files Cleaned = 1.00 mb


OTL by OldTimer - Version 3.2.43.1 log created on 05272012_214520

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#14
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,202 posts
Firstly...

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Next...
ComboFix

Notes:
  • If you have a previous version of Combofix.exe, delete it and download a fresh copy.
  • It must be saved to your desktop, do not run it
  • Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop
http://download.blee...Bs/ComboFix.exe
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
Posted Image
Posted Image

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.
  • 0

#15
winvista

winvista

    Member

  • Topic Starter
  • Member
  • PipPip
  • 40 posts
MiniToolBox

MiniToolBox by Farbar Version: 18-01-2012
Ran by admin (administrator) on 28-05-2012 at 14:49:22
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)
Atheros AR5007EG Wireless Network Adapter = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : rnt-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

PPP adapter Localnet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Localnet
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 4.225.151.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 64.136.173.4
64.136.164.76
NetBIOS over Tcpip. . . . . . . . : Disabled

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
Physical Address. . . . . . . . . : 00-21-63-0F-E6-60
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 00-1E-33-45-8D-6C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{2863352B-78F6-4CA1-A9AD-693AF7C96463}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{B0F31E43-512B-499E-AAA1-E7828F7C5D43}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 16:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:4e1:97ba::4e1:97ba(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 64.136.173.4
64.136.164.76
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: node4.173.136.64.1dial.com
Address: 64.136.173.4

Name: google.com
Addresses: 74.125.131.138
74.125.131.102
74.125.131.101
74.125.131.100
74.125.131.139
74.125.131.113

Ping request could not find host google.com. Please check the name and try again.

Server: node4.173.136.64.1dial.com
Address: 64.136.173.4

Name: yahoo.com
Addresses: 98.139.183.24
209.191.122.70
72.30.38.140

Ping request could not find host yahoo.com. Please check the name and try again.

Server: node4.173.136.64.1dial.com
Address: 64.136.173.4

Name: bleepingcomputer.com
Address: 208.43.87.2

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
28 ........................... Localnet
11 ...00 21 63 0f e6 60 ...... Atheros AR5007EG Wireless Network Adapter
10 ...00 1e 33 45 8d 6c ...... Realtek PCIe FE Family Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
18 ...00 00 00 00 00 00 00 e0 isatap.{2863352B-78F6-4CA1-A9AD-693AF7C96463}
19 ...00 00 00 00 00 00 00 e0 isatap.{B0F31E43-512B-499E-AAA1-E7828F7C5D43}
29 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
17 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
30 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 On-link 4.225.151.186 51
4.225.151.186 255.255.255.255 On-link 4.225.151.186 306
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 4.225.151.186 51
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 4.225.151.186 306
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
30 1050 2002::/16 On-link
30 306 2002:4e1:97ba::4e1:97ba/128
On-link
1 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 31 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 32 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/28/2012 02:42:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 15600

Error: (05/28/2012 02:42:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 15600

Error: (05/28/2012 02:42:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (05/28/2012 02:25:45 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: SYSTEM)SYSTEM
Description: 0x80072af9

Error: (05/28/2012 02:22:45 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: SYSTEM)SYSTEM
Description: 0x80072af9

Error: (05/28/2012 02:20:30 PM) (Source: Application Error) (User: )
Description: Faulting application pinger.exe, version 0.0.0.0, time stamp 0x45b94da2, faulting module pinger.exe, version 0.0.0.0, time stamp 0x45b94da2, exception code 0xc0000005, fault offset 0x000170cd,
process id 0x5cc, application start time 0xpinger.exe0.

Error: (05/28/2012 02:20:26 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: SYSTEM)SYSTEM
Description: 0x80072af9

Error: (05/28/2012 02:18:49 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{CEB8B221-89C5-41A8-98CE-79B413BF150B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (05/28/2012 02:18:48 PM) (Source: WcesComm) (User: )
Description: Windows Mobile-based device failed to connect due to Fatal (0x80004005) failure (see data for failure code).

Error: (05/28/2012 02:18:43 PM) (Source: WcesComm) (User: )
Description: Windows Mobile-based device failed to connect due to Fatal (0x80004005) failure (see data for failure code).


System errors:
=============
Error: (05/28/2012 02:44:03 PM) (Source: Service Control Manager) (User: )
Description: 30000Netman

Error: (05/28/2012 02:25:45 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler3

Error: (05/28/2012 02:22:45 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler2600001Restart the service

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: KLIF

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler1600001Restart the service

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: 30000pinger

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: Net.Tcp Listener Adapterwas

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: Net.Pipe Listener Adapterwas

Error: (05/28/2012 02:21:21 PM) (Source: Service Control Manager) (User: )
Description: Microsoft Antimalware Service%%2147942402

Error: (05/28/2012 02:13:27 PM) (Source: Service Control Manager) (User: )
Description: 30000Netman


Microsoft Office Sessions:
=========================

**** End of log ****
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP