Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing trojan.gen.2, trojan.gen and trojan.zeroaccess.b [S

Started by adiii , Jul 21 2012 02:15 PM

  • This topic is locked This topic is locked

#16
WhiteHat
Posted 28 July 2012 - 01:39 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste.
  • Save it on the flashdrive as fixlist.txt
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options and select Command prompt
Posted Image

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

# Step 2 #

Tell me how is your computer.
  • Run the OTL.exe. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad windows contains OTL.Txt. This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post him in your topic

Edited by WhiteHat, 28 July 2012 - 01:40 PM.

  • 0

Advertisements

#17
adiii
Posted 28 July 2012 - 07:06 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-28 20:55:03 Run:1
Running from F:\

==============================================

C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====
  • 0

#18
adiii
Posted 28 July 2012 - 07:30 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
OTL logfile created on: 7/28/2012 9:07:59 PM - Run 2
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 51.58% Memory free
3.99 Gb Paging File | 2.92 Gb Available in Paging File | 73.29% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 231.42 Gb Total Space | 125.15 Gb Free Space | 54.08% Space Free | Partition Type: NTFS
Drive E: | 983.22 Mb Total Space | 139.75 Mb Free Space | 14.21% Space Free | Partition Type: FAT

Computer Name: OWNER-PC | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/21 23:37:24 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
PRC - [2012/02/23 13:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
PRC - [2011/07/27 13:22:52 | 000,126,976 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/02/10 00:35:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/20 07:36:58 | 000,210,216 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2009/02/03 09:15:18 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/01/29 18:51:52 | 004,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/04/27 23:15:46 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2007/04/26 21:56:10 | 000,538,744 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2007/04/11 12:19:48 | 004,443,136 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PRC - [2007/04/10 19:40:28 | 000,413,696 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2007/03/29 13:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2007/03/29 13:39:18 | 000,411,192 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2007/03/22 14:46:54 | 000,448,632 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2007/02/26 00:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/06 20:14:44 | 000,034,352 | ---- | M] () -- C:\Program Files\Toshiba\Utilities\KeNotify.exe
PRC - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/15 00:14:29 | 000,518,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\TCrdMain\8b0dba4627840c06841ab04757ade525\TCrdMain.ni.exe
MOD - [2012/06/14 19:36:41 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
MOD - [2012/06/14 19:36:22 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
MOD - [2012/06/14 19:35:08 | 014,329,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll
MOD - [2012/06/14 19:31:28 | 012,219,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll
MOD - [2012/05/10 04:36:56 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll
MOD - [2012/05/10 04:36:03 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll
MOD - [2012/05/10 04:35:59 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/10 04:35:49 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/11/10 10:42:59 | 000,103,424 | ---- | M] () -- C:\Program Files\Google\Quick Search Box\bin\1.2.1151.245\rlz.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/12/08 18:50:04 | 003,565,056 | ---- | M] () -- C:\Program Files\ffdshow\ffdshow.ax
MOD - [2009/08/11 21:18:28 | 000,497,664 | ---- | M] () -- C:\Windows\System32\ac3filter.acm
MOD - [2007/04/25 00:57:36 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2007/04/23 13:38:08 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\ConfigFree\NotifyCFF.dll
MOD - [2007/04/11 12:19:48 | 004,443,136 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
MOD - [2006/12/01 21:55:42 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\TBS\NotifyTBS.dll
MOD - [2006/11/09 21:27:00 | 000,090,112 | ---- | M] () -- C:\Program Files\Toshiba\FlashCards\TWarnMsg\TWarnMsg.dll
MOD - [2006/11/08 21:08:30 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\PCDiag\NotifyPCD.dll
MOD - [2006/11/06 20:14:44 | 000,034,352 | ---- | M] () -- C:\Program Files\Toshiba\Utilities\KeNotify.exe
MOD - [2006/10/10 14:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Assist\NotifyX.dll
MOD - [2006/10/07 14:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Disc Creator\NotifyTDC.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon)
SRV - File not found [Auto | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield)
SRV - [2012/07/26 23:58:46 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/20 14:03:08 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/07 19:12:14 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe -- (NIS)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2011/02/10 00:35:03 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet) Remote Procedure Call (RPC)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/05/05 18:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/04/27 23:15:46 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2007/03/29 13:39:20 | 000,427,576 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/02/26 00:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\TpChoice.sys -- (TpChoice)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (Tosrfcom)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/07/21 15:05:33 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/06/18 20:01:14 | 000,821,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20120711.002\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/06/14 14:39:26 | 000,382,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20120727.001\IDSvix86.sys -- (IDSVix86)
DRV - [2012/05/30 22:33:40 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/30 22:33:39 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/05/26 02:55:58 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120727.033\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/05/26 02:55:58 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\VirusDefs\20120727.033\NAVENG.SYS -- (NAVENG)
DRV - [2011/05/10 00:14:00 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/04/20 21:37:49 | 000,331,384 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\symtdiv.sys -- (SYMTDIv)
DRV - [2011/03/30 23:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\srtsp.sys -- (SRTSP)
DRV - [2011/03/30 23:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\srtspx.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/14 22:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\symefa.sys -- (SymEFA)
DRV - [2011/01/27 02:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\symds.sys -- (SymDS)
DRV - [2011/01/27 01:07:05 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1207020.003\ironx86.sys -- (SymIRON)
DRV - [2009/06/19 21:44:14 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2008/11/10 12:26:00 | 000,135,680 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/08/22 10:24:38 | 000,036,512 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/07/29 05:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/05/13 19:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/02/22 16:33:00 | 000,087,936 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2007/11/09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/04/27 23:13:58 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2007/04/25 01:07:14 | 002,590,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/03/13 00:47:54 | 000,011,264 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/09/27 23:06:00 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/30 12:35:58 | 000,140,800 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2006/07/28 19:25:26 | 000,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\LPCFilter.sys -- (LPCFilter)
DRV - [2006/02/14 14:50:00 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/01/07 11:09:50 | 000,007,548 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Samhid.sys -- (samhid)
DRV - [2005/09/27 19:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {89147D9E-47BE-4619-878F-7F1FCB3AE306}
IE - HKLM\..\SearchScopes\{89147D9E-47BE-4619-878F-7F1FCB3AE306}: "URL" = http://www.google.co...ge={startPage};


IE - HKU\.DEFAULT\..\SearchScopes\{26973266-0412-4972-999A-5AF6FB2CCCEA}: "URL" = http://search.yahoo....=utf-8&fr=b2ie7
IE - HKU\.DEFAULT\..\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}: "URL" = http://www.questscan...s={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes\{26973266-0412-4972-999A-5AF6FB2CCCEA}: "URL" = http://search.yahoo....=utf-8&fr=b2ie7
IE - HKU\S-1-5-18\..\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}: "URL" = http://www.questscan...s={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}

IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}

IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie9
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes,DefaultScope = {89147D9E-47BE-4619-878F-7F1FCB3AE306}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{21619D07-1073-43D8-8A76-3357C73CABCB}: "URL" = http://delicious.com...p={searchTerms}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{300FEB6E-EEF5-4839-82FF-BD0003547B18}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{802478AF-EFC6-4801-BD74-14247C7C96F7}: "URL" = http://search.yahoo....}&fr=chr-ygames
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{89147D9E-47BE-4619-878F-7F1FCB3AE306}: "URL" = http://www.google.co...1I7TSHB_enUS236
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....p={searchTerms}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\{E65DA6BB-45F0-4344-8CEB-43393F4BA081}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\Comcast: "URL" = http://search.comcas...q={searchTerms}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultEngine: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo-Mp3Tube"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.selectedEngineURL: ""
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:5.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\owner\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.647: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.647: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.1: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\owner\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn\ [2012/01/31 21:12:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn_2011_7_10_1 [2012/07/28 20:58:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/05/01 18:07:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/05/21 09:44:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/20 14:03:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/17 00:14:44 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Users\owner\AppData\Roaming\Move Networks [2010/01/01 10:56:07 | 000,000,000 | ---D | M]

[2008/12/28 12:44:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Extensions
[2012/07/22 23:20:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\drkj3dog.default\extensions
[2010/06/01 21:30:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\drkj3dog.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/17 21:18:57 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\drkj3dog.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/05/20 16:41:56 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\drkj3dog.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/07/21 01:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/23 22:26:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/07/28 20:58:01 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\COFFPLGN_2011_7_10_1
[2012/01/31 21:12:21 | 000,000,000 | ---D | M] (Symantec Intrusion Prevention) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPLGN
[2012/07/20 14:03:11 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/27 23:43:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/12/28 12:51:58 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2012/06/18 20:22:10 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/18 20:22:10 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/09/09 21:30:25 | 000,000,736 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll (Yahoo! Inc.)
O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn8\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn10\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.7.2.3\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HWSetup] \HWSetup.exe hwSetUP File not found
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE (TOSHIBA Corporation)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; OfficeLiveConnector.1.4; OfficeLivePatch.0.0; .NET CLR 3.0.30729; yie8)" -"http://www.candystan...home-run-rally" File not found
O7 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..Trusted Domains: blackpeoplemeet.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CFCDD09-5BDC-4A7F-B180-94BC0B24034A}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\Userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/27 02:39:39 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/23 20:03:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/22 23:12:25 | 000,694,833 | ---- | C] (Farbar) -- C:\Users\owner\Desktop\FSS.exe
[2012/07/21 23:37:22 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/07/21 13:51:01 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2012/07/20 02:22:44 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\FixZeroAccess
[2012/07/20 00:47:00 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Users\owner\Desktop\FixZeroAccess.exe
[2012/07/18 23:36:38 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\NPE
[2012/07/05 01:35:25 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Skype
[2012/07/04 23:27:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/07/04 23:27:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/07/04 23:27:18 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2012/07/04 23:27:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/28 21:04:05 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/28 20:57:37 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/28 20:57:18 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2012/07/28 20:57:17 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.dll
[2012/07/28 20:57:14 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/28 20:57:14 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/28 20:57:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/28 20:56:44 | 2011,217,920 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/28 20:56:35 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2012/07/28 20:42:33 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/07/28 15:46:46 | 000,002,120 | ---- | M] () -- C:\{C1607F10-2840-4932-8171-4DFF8B09DA7B}
[2012/07/27 22:31:53 | 000,002,120 | ---- | M] () -- C:\{84A35C89-32C3-4B84-BF5D-2427DF26D33C}
[2012/07/26 22:14:21 | 000,608,644 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/07/26 22:14:21 | 000,106,114 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/07/26 22:11:52 | 000,002,120 | ---- | M] () -- C:\{A15914A2-DC5E-4FCF-ABD5-3C0BD01243C1}
[2012/07/23 22:05:33 | 000,001,356 | ---- | M] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2012/07/23 20:44:34 | 000,003,072 | ---- | M] () -- C:\{18F8B386-A614-41A9-8313-875EDDBDBDFF}
[2012/07/23 20:01:48 | 000,002,120 | ---- | M] () -- C:\{017AE820-2E09-47FB-94AC-3C4D6F1D2F6D}
[2012/07/23 19:50:13 | 000,003,168 | ---- | M] () -- C:\{65C2DD60-AB4A-457B-B90F-37A3C2CEDF67}
[2012/07/22 23:12:27 | 000,694,833 | ---- | M] (Farbar) -- C:\Users\owner\Desktop\FSS.exe
[2012/07/22 18:05:39 | 000,003,168 | ---- | M] () -- C:\{421B7E3D-F4BA-4A81-AB8A-AF6907553ACF}
[2012/07/21 23:37:24 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/07/21 15:50:44 | 000,003,128 | ---- | M] () -- C:\{F4797981-02AF-428E-A765-754D0DB18751}
[2012/07/21 15:05:33 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2012/07/21 02:32:58 | 000,003,168 | ---- | M] () -- C:\{6BA63AEC-DA5D-4DFD-8C21-7E4B7BE9E671}
[2012/07/20 23:40:54 | 000,003,168 | ---- | M] () -- C:\{02FC3C85-BC25-49B9-BBAC-3C147A19DB6B}
[2012/07/20 23:32:51 | 000,003,168 | ---- | M] () -- C:\{AE4F983F-AD3B-44CB-8369-72777CCF9225}
[2012/07/20 23:31:32 | 000,003,168 | ---- | M] () -- C:\{49843135-F970-47CA-9773-1BEA8146003D}
[2012/07/20 23:30:11 | 000,003,160 | ---- | M] () -- C:\{25C84DC3-D432-491A-9C88-6C1E880F841E}
[2012/07/20 23:28:52 | 000,003,168 | ---- | M] () -- C:\{0703E6FE-DCBE-4A6D-BB8B-6F26585ABDF2}
[2012/07/20 23:27:14 | 000,003,168 | ---- | M] () -- C:\{172D16FF-1F6C-412B-821D-11F795C7FCE6}
[2012/07/20 23:25:38 | 000,003,192 | ---- | M] () -- C:\{98A4F8BF-BC08-4429-AA03-CD12FCE3F766}
[2012/07/20 23:23:04 | 000,003,168 | ---- | M] () -- C:\{E2728F82-2C61-4BCC-8E4E-E1BAC63902D9}
[2012/07/20 22:48:17 | 000,003,192 | ---- | M] () -- C:\{0FF10280-BFFC-45F4-A35B-851A614E8555}
[2012/07/20 21:32:18 | 000,003,168 | ---- | M] () -- C:\{B1734447-E7E2-41A1-AFF7-00D8CA9AC224}
[2012/07/20 21:31:08 | 000,003,192 | ---- | M] () -- C:\{68522BF9-0388-45FD-A351-437B7E39F3BC}
[2012/07/20 20:53:00 | 000,003,192 | ---- | M] () -- C:\{F8EE753C-A82A-4096-A211-41CC35E44794}
[2012/07/20 20:52:59 | 000,002,464 | ---- | M] () -- C:\{0F1D25AE-AF68-4994-A939-C1B877CA8E5A}
[2012/07/20 20:50:57 | 000,003,160 | ---- | M] () -- C:\{E34D0970-97CF-4FCB-AC79-A057B5B83843}
[2012/07/20 20:49:18 | 000,003,168 | ---- | M] () -- C:\{50AAECBA-03E8-46CF-B973-6F5C1F15EFC5}
[2012/07/20 20:43:25 | 000,003,192 | ---- | M] () -- C:\{2A74AE8E-BDE1-4C97-AB83-2A65A633C5F8}
[2012/07/20 20:42:09 | 000,003,168 | ---- | M] () -- C:\{FCFCD298-AFC8-4031-A971-4BC6FB5C0E6A}
[2012/07/20 20:40:26 | 000,003,168 | ---- | M] () -- C:\{9C6F7F4B-8968-43EA-B8E6-19B23C4E4FA7}
[2012/07/20 20:26:00 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/20 20:00:49 | 000,003,192 | ---- | M] () -- C:\{2326045C-366B-4E8E-B60C-DDF70650FE27}
[2012/07/20 02:30:26 | 000,003,192 | ---- | M] () -- C:\{A855009F-34C2-4DEC-A4DB-18793F7ADC23}
[2012/07/20 00:47:02 | 001,805,736 | ---- | M] (Symantec Corporation) -- C:\Users\owner\Desktop\FixZeroAccess.exe
[2012/07/18 19:20:46 | 000,003,192 | ---- | M] () -- C:\{98AB9C6F-5E6B-44F4-A09A-D0B2CEE95776}
[2012/07/18 05:18:26 | 000,003,168 | ---- | M] () -- C:\{35A52861-7BAF-4A80-992D-30925ADF5EE1}
[2012/07/18 05:10:30 | 000,003,168 | ---- | M] () -- C:\{3CF5315D-4D73-44F2-A5D2-662D016C698A}
[2012/07/18 05:08:36 | 000,003,168 | ---- | M] () -- C:\{78AC8E6E-F62F-4D9E-8AFE-8218316A867D}
[2012/07/18 04:51:15 | 000,003,168 | ---- | M] () -- C:\{EEDB5512-5B27-41BB-BAED-5FDB81B94439}
[2012/07/18 04:15:23 | 000,003,168 | ---- | M] () -- C:\{B2F58096-3B54-4F81-A5CB-BCDB1CA8E9C8}
[2012/07/18 03:56:33 | 000,003,192 | ---- | M] () -- C:\{B4B4E2B6-196D-438B-A08D-A40BD4BE5323}
[2012/07/18 03:37:50 | 000,003,168 | ---- | M] () -- C:\{B2FC7829-2EA3-4B10-9DCB-80BF3D68F852}
[2012/07/18 03:36:41 | 000,003,192 | ---- | M] () -- C:\{F1140557-A947-449A-85C7-C733E3220169}
[2012/07/18 02:53:59 | 000,003,192 | ---- | M] () -- C:\{A9CFB260-1C5B-4965-B0F4-B7E4F22203F5}
[2012/07/18 02:28:50 | 000,003,160 | ---- | M] () -- C:\{57B206EB-177E-44C3-A8E9-117A711A5B53}
[2012/07/18 02:26:38 | 000,003,168 | ---- | M] () -- C:\{9A711070-2854-498D-B7C2-0D0477A64530}
[2012/07/18 02:25:20 | 000,003,168 | ---- | M] () -- C:\{9B66C1D4-7CF2-4E8F-AED2-0A3877B43008}
[2012/07/18 02:16:08 | 000,003,168 | ---- | M] () -- C:\{EC4AD8BB-3761-4E1B-A4B4-2371E901D8A8}
[2012/07/18 02:05:03 | 000,003,168 | ---- | M] () -- C:\{99AECE6E-7740-44DB-8695-79EEF4631A75}
[2012/07/18 02:03:42 | 000,003,192 | ---- | M] () -- C:\{6BD5900C-EEA0-4E3D-9A5F-608B47C08BA2}
[2012/07/18 01:36:53 | 000,003,168 | ---- | M] () -- C:\{3B332147-7ED6-42C5-96D0-79AF3F20C510}
[2012/07/18 01:11:00 | 000,003,168 | ---- | M] () -- C:\{5A1883F0-A816-414D-8D71-E729D33B72A7}
[2012/07/18 01:04:24 | 000,003,192 | ---- | M] () -- C:\{C5D43213-7AEC-4FAF-99B5-909D787C0FF3}
[2012/07/18 00:37:57 | 000,003,192 | ---- | M] () -- C:\{19243217-DCC9-406D-8E8D-8388F331CCD9}
[2012/07/18 00:31:56 | 000,003,168 | ---- | M] () -- C:\{72924E0D-457C-4366-B8B0-9C9F43C73209}
[2012/07/18 00:30:18 | 000,003,168 | ---- | M] () -- C:\{6F95C386-9376-4466-8EE7-BBCC49E08E4E}
[2012/07/12 21:49:02 | 000,326,144 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/04 23:51:29 | 000,002,487 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/28 15:46:46 | 000,002,120 | ---- | C] () -- C:\{C1607F10-2840-4932-8171-4DFF8B09DA7B}
[2012/07/27 22:31:53 | 000,002,120 | ---- | C] () -- C:\{84A35C89-32C3-4B84-BF5D-2427DF26D33C}
[2012/07/26 22:11:50 | 000,002,120 | ---- | C] () -- C:\{A15914A2-DC5E-4FCF-ABD5-3C0BD01243C1}
[2012/07/23 20:44:34 | 000,003,072 | ---- | C] () -- C:\{18F8B386-A614-41A9-8313-875EDDBDBDFF}
[2012/07/23 20:01:47 | 000,002,120 | ---- | C] () -- C:\{017AE820-2E09-47FB-94AC-3C4D6F1D2F6D}
[2012/07/23 19:50:13 | 000,003,168 | ---- | C] () -- C:\{65C2DD60-AB4A-457B-B90F-37A3C2CEDF67}
[2012/07/22 18:05:39 | 000,003,168 | ---- | C] () -- C:\{421B7E3D-F4BA-4A81-AB8A-AF6907553ACF}
[2012/07/21 15:50:44 | 000,003,128 | ---- | C] () -- C:\{F4797981-02AF-428E-A765-754D0DB18751}
[2012/07/21 15:45:04 | 2011,217,920 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/21 02:32:57 | 000,003,168 | ---- | C] () -- C:\{6BA63AEC-DA5D-4DFD-8C21-7E4B7BE9E671}
[2012/07/20 23:40:54 | 000,003,168 | ---- | C] () -- C:\{02FC3C85-BC25-49B9-BBAC-3C147A19DB6B}
[2012/07/20 23:32:50 | 000,003,168 | ---- | C] () -- C:\{AE4F983F-AD3B-44CB-8369-72777CCF9225}
[2012/07/20 23:31:32 | 000,003,168 | ---- | C] () -- C:\{49843135-F970-47CA-9773-1BEA8146003D}
[2012/07/20 23:30:11 | 000,003,160 | ---- | C] () -- C:\{25C84DC3-D432-491A-9C88-6C1E880F841E}
[2012/07/20 23:28:51 | 000,003,168 | ---- | C] () -- C:\{0703E6FE-DCBE-4A6D-BB8B-6F26585ABDF2}
[2012/07/20 23:27:14 | 000,003,168 | ---- | C] () -- C:\{172D16FF-1F6C-412B-821D-11F795C7FCE6}
[2012/07/20 23:25:37 | 000,003,192 | ---- | C] () -- C:\{98A4F8BF-BC08-4429-AA03-CD12FCE3F766}
[2012/07/20 23:23:04 | 000,003,168 | ---- | C] () -- C:\{E2728F82-2C61-4BCC-8E4E-E1BAC63902D9}
[2012/07/20 22:48:17 | 000,003,192 | ---- | C] () -- C:\{0FF10280-BFFC-45F4-A35B-851A614E8555}
[2012/07/20 21:32:18 | 000,003,168 | ---- | C] () -- C:\{B1734447-E7E2-41A1-AFF7-00D8CA9AC224}
[2012/07/20 21:31:07 | 000,003,192 | ---- | C] () -- C:\{68522BF9-0388-45FD-A351-437B7E39F3BC}
[2012/07/20 20:52:59 | 000,003,192 | ---- | C] () -- C:\{F8EE753C-A82A-4096-A211-41CC35E44794}
[2012/07/20 20:52:59 | 000,002,464 | ---- | C] () -- C:\{0F1D25AE-AF68-4994-A939-C1B877CA8E5A}
[2012/07/20 20:50:57 | 000,003,160 | ---- | C] () -- C:\{E34D0970-97CF-4FCB-AC79-A057B5B83843}
[2012/07/20 20:49:04 | 000,003,168 | ---- | C] () -- C:\{50AAECBA-03E8-46CF-B973-6F5C1F15EFC5}
[2012/07/20 20:43:22 | 000,003,192 | ---- | C] () -- C:\{2A74AE8E-BDE1-4C97-AB83-2A65A633C5F8}
[2012/07/20 20:42:09 | 000,003,168 | ---- | C] () -- C:\{FCFCD298-AFC8-4031-A971-4BC6FB5C0E6A}
[2012/07/20 20:40:26 | 000,003,168 | ---- | C] () -- C:\{9C6F7F4B-8968-43EA-B8E6-19B23C4E4FA7}
[2012/07/20 20:26:00 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/20 20:00:49 | 000,003,192 | ---- | C] () -- C:\{2326045C-366B-4E8E-B60C-DDF70650FE27}
[2012/07/20 02:30:25 | 000,003,192 | ---- | C] () -- C:\{A855009F-34C2-4DEC-A4DB-18793F7ADC23}
[2012/07/18 19:20:36 | 000,003,192 | ---- | C] () -- C:\{98AB9C6F-5E6B-44F4-A09A-D0B2CEE95776}
[2012/07/18 05:18:24 | 000,003,168 | ---- | C] () -- C:\{35A52861-7BAF-4A80-992D-30925ADF5EE1}
[2012/07/18 05:10:29 | 000,003,168 | ---- | C] () -- C:\{3CF5315D-4D73-44F2-A5D2-662D016C698A}
[2012/07/18 05:08:32 | 000,003,168 | ---- | C] () -- C:\{78AC8E6E-F62F-4D9E-8AFE-8218316A867D}
[2012/07/18 04:51:14 | 000,003,168 | ---- | C] () -- C:\{EEDB5512-5B27-41BB-BAED-5FDB81B94439}
[2012/07/18 04:15:22 | 000,003,168 | ---- | C] () -- C:\{B2F58096-3B54-4F81-A5CB-BCDB1CA8E9C8}
[2012/07/18 03:56:29 | 000,003,192 | ---- | C] () -- C:\{B4B4E2B6-196D-438B-A08D-A40BD4BE5323}
[2012/07/18 03:37:49 | 000,003,168 | ---- | C] () -- C:\{B2FC7829-2EA3-4B10-9DCB-80BF3D68F852}
[2012/07/18 03:36:40 | 000,003,192 | ---- | C] () -- C:\{F1140557-A947-449A-85C7-C733E3220169}
[2012/07/18 02:53:58 | 000,003,192 | ---- | C] () -- C:\{A9CFB260-1C5B-4965-B0F4-B7E4F22203F5}
[2012/07/18 02:28:48 | 000,003,160 | ---- | C] () -- C:\{57B206EB-177E-44C3-A8E9-117A711A5B53}
[2012/07/18 02:26:30 | 000,003,168 | ---- | C] () -- C:\{9A711070-2854-498D-B7C2-0D0477A64530}
[2012/07/18 02:25:16 | 000,003,168 | ---- | C] () -- C:\{9B66C1D4-7CF2-4E8F-AED2-0A3877B43008}
[2012/07/18 02:16:06 | 000,003,168 | ---- | C] () -- C:\{EC4AD8BB-3761-4E1B-A4B4-2371E901D8A8}
[2012/07/18 02:05:02 | 000,003,168 | ---- | C] () -- C:\{99AECE6E-7740-44DB-8695-79EEF4631A75}
[2012/07/18 02:03:40 | 000,003,192 | ---- | C] () -- C:\{6BD5900C-EEA0-4E3D-9A5F-608B47C08BA2}
[2012/07/18 01:36:52 | 000,003,168 | ---- | C] () -- C:\{3B332147-7ED6-42C5-96D0-79AF3F20C510}
[2012/07/18 01:10:58 | 000,003,168 | ---- | C] () -- C:\{5A1883F0-A816-414D-8D71-E729D33B72A7}
[2012/07/18 01:04:21 | 000,003,192 | ---- | C] () -- C:\{C5D43213-7AEC-4FAF-99B5-909D787C0FF3}
[2012/07/18 00:37:57 | 000,003,192 | ---- | C] () -- C:\{19243217-DCC9-406D-8E8D-8388F331CCD9}
[2012/07/18 00:31:55 | 000,003,168 | ---- | C] () -- C:\{72924E0D-457C-4366-B8B0-9C9F43C73209}
[2012/07/18 00:30:16 | 000,003,168 | ---- | C] () -- C:\{6F95C386-9376-4466-8EE7-BBCC49E08E4E}
[2012/07/04 23:27:19 | 000,002,487 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/12/13 14:15:57 | 000,000,000 | ---- | C] () -- C:\Users\owner\InstallerControl_setup_exe.zjem6qs.partial
[2011/12/13 13:46:43 | 000,000,000 | ---- | C] () -- C:\Users\owner\InstallerControl_setup_exe.efv3v46.partial
[2011/11/07 23:52:36 | 000,035,196 | ---- | C] () -- C:\Users\owner\AppData\Roaming\UserTile.png
[2011/09/26 20:07:20 | 000,174,432 | ---- | C] () -- C:\Windows\hpoins43.dat
[2011/09/26 20:07:20 | 000,000,601 | ---- | C] () -- C:\Windows\hpomdl43.dat
[2011/05/24 00:19:35 | 000,085,504 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/05/01 21:10:53 | 000,001,356 | ---- | C] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2010/04/12 22:41:30 | 000,011,396 | -HS- | C] () -- C:\Users\owner\AppData\Local\aB6G3tn
[2010/04/12 22:41:30 | 000,011,396 | -HS- | C] () -- C:\ProgramData\aB6G3tn
[2010/03/11 00:33:46 | 000,007,992 | -HS- | C] () -- C:\Users\owner\AppData\Local\7Nadb2
[2009/11/04 23:41:28 | 003,874,252 | R--- | C] () -- C:\Users\owner\Video0045.mp4
[2008/10/09 16:39:10 | 000,000,000 | ---- | C] () -- C:\Users\owner\AppData\Roaming\wklnhst.dat
[2007/12/19 23:47:28 | 000,000,632 | RHS- | C] () -- C:\Users\owner\ntuser.pol
[2007/10/27 00:07:10 | 000,601,728 | ---- | C] () -- C:\Users\owner\ampx_2_6_1_11_en.exe
[2007/09/13 21:40:03 | 000,013,312 | ---- | C] () -- C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2009/11/06 10:09:09 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\acccore
[2011/10/03 19:29:44 | 000,000,000 | ---D | M] -- C:\Users\Guest\AppData\Roaming\ooVoo Details
[2008/06/29 00:57:24 | 000,000,000 | ---D | M] -- C:\Users\Lovie\AppData\Roaming\acccore
[2012/05/12 21:32:24 | 000,000,000 | ---D | M] -- C:\Users\Lovie\AppData\Roaming\ooVoo Details
[2007/12/23 18:00:42 | 000,000,000 | ---D | M] -- C:\Users\Lovie\AppData\Roaming\PlayFirst
[2007/12/22 16:32:58 | 000,000,000 | ---D | M] -- C:\Users\Lovie\AppData\Roaming\WildTangent
[2007/10/23 10:17:25 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/03/17 21:09:56 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\AVCWare Studio
[2012/07/20 02:22:44 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\FixZeroAccess
[2012/05/11 22:01:20 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2007/08/19 09:51:56 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Riverdeep
[2008/12/24 18:37:07 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Samsung
[2010/03/06 15:16:06 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\SecondLife
[2011/12/09 09:25:42 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\smkits
[2007/09/26 21:06:43 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Southwest Airlines
[2008/10/09 16:39:14 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Template
[2007/08/19 08:54:05 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Ulead Systems
[2012/06/03 10:30:42 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Utherverse
[2007/08/19 08:56:14 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\WildTangent
[2007/08/19 08:53:04 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\WinBatch
[2007/11/25 22:15:31 | 000,000,000 | ---D | M] -- C:\Users\Tia\AppData\Roaming\WildTangent
[2012/07/28 02:39:09 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >
  • 0

#19
adiii
Posted 28 July 2012 - 07:31 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Things seem to be better. This was the first time i started up windows with norton saying it had fixed threats.
  • 0

#20
WhiteHat
Posted 29 July 2012 - 11:25 AM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

# Step 1 #
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :OTL
IE - HKU\.DEFAULT\..\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}: "URL" = http://www.questscan...s={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\S-1-5-18\..\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}: "URL" = http://www.questscan...s={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKU\S-1-5-21-2748772516-3502916180-88706385-1000\..\SearchScopes\Comcast: "URL" = http://search.comcas...q={searchTerms}
O2 - BHO: (Ask Search Assistant BHO) -  {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program  Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL File not found
[2010/04/12 22:41:30 | 000,011,396 | -HS- | C] () -- C:\Users\owner\AppData\Local\aB6G3tn
[2010/04/12 22:41:30 | 000,011,396 | -HS- | C] () -- C:\ProgramData\aB6G3tn
[2010/03/11 00:33:46 | 000,007,992 | -HS- | C] () -- C:\Users\owner\AppData\Local\7Nadb2

:Commands
[CREATERESTOREPOINT]
[REBOOT]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 2 #
Please run FSS.exe again.
Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

  • 0

#21
adiii
Posted 30 July 2012 - 10:39 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
========== OTL ==========
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B8C28A7-A9BC-45F8-990D-21499EED643C}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{4B8C28A7-A9BC-45F8-990D-21499EED643C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B8C28A7-A9BC-45F8-990D-21499EED643C}\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
Registry key HKEY_USERS\S-1-5-21-2748772516-3502916180-88706385-1000\Software\Microsoft\Internet Explorer\SearchScopes\{searchTerms}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{searchTerms}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}\ deleted successfully.
C:\Users\owner\AppData\Local\aB6G3tn moved successfully.
C:\ProgramData\aB6G3tn moved successfully.
C:\Users\owner\AppData\Local\7Nadb2 moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.54.0 log created on 07312012_002123
  • 0

#22
adiii
Posted 30 July 2012 - 10:39 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Farbar Service Scanner Version: 22-07-2012
Ran by owner (administrator) on 31-07-2012 at 00:34:01
Running from "C:\Users\owner\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile. The key does not exist.
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile. The key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-05-09 22:02] - [2012-03-30 08:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#23
WhiteHat
Posted 31 July 2012 - 12:41 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

# Step 1 #
Download and run the following registry keys:
Attached File  BFE.reg   154.41KB   248 downloads
Attached File  MpsSvc.reg   6.69KB   241 downloads
Attached File  SharedAccess.reg   338.82KB   251 downloads
Attached File  wscsvc.reg   5.13KB   243 downloads

# Step 2 #
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications"=dword:00000000
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications"=dword:00000000
"EnableFirewall"=dword:00000001

:Files
Net Start sharedaccess /c
Net Start wscsvc /c
Net Start bfe /c
Net Start MpsSvc /c
Net start mpsdrv /c

:Commands
[CREATERESTOREPOINT]
[REBOOT]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 3 #
Run Farbar Service Scanner again and post the log (FSS.txt).
  • 0

#24
adiii
Posted 31 July 2012 - 11:40 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\\"EnableFirewall"|dword:00000001 /E : value set successfully!
========== FILES ==========
< Net Start sharedaccess /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net Start wscsvc /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net Start bfe /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net Start MpsSvc /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net start mpsdrv /c >
The Windows Firewall Authorization Driver service was started successfully.
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.54.0 log created on 08012012_012120
  • 0

#25
adiii
Posted 31 July 2012 - 11:40 PM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Farbar Service Scanner Version: 22-07-2012
Ran by owner (administrator) on 01-08-2012 at 01:37:15
Running from "C:\Users\owner\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-05-09 22:02] - [2012-03-30 08:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

Advertisements

#26
WhiteHat
Posted 01 August 2012 - 11:59 AM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Please, check if the Windows update is working.
http://windows.micro.../windows-update

# Step 1 #
Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess]
"Start"=dword:00000002

:Files
Net Start MpsSvc /c
Net Start bfe /c
Net Start sharedaccess /c

:Commands
[CREATERESTOREPOINT]
[REBOOT]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


# Step 2 #
Run Farbar Service Scanner again and post the log (FSS.txt)
  • 0

#27
adiii
Posted 03 August 2012 - 12:05 AM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hi, yes windows update is working.
  • 0

#28
adiii
Posted 03 August 2012 - 12:05 AM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\\"Start"|dword:00000002 /E : value set successfully!
========== FILES ==========
< Net Start MpsSvc /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net Start bfe /c >
The Base Filtering Engine service is starting.
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
< Net Start sharedaccess /c >
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.54.0 log created on 08032012_014721
  • 0

#29
adiii
Posted 03 August 2012 - 12:06 AM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Farbar Service Scanner Version: 22-07-2012
Ran by owner (administrator) on 03-08-2012 at 02:02:45
Running from "C:\Users\owner\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-05-09 22:02] - [2012-03-30 08:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#30
adiii
Posted 03 August 2012 - 08:36 AM

adiii

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Hi

this morning when i turned my laptop on, norton pops up saying it had detected trojan.zeroaccess again. I haven't been getting that in days. Under the norton security history activity it says "desktop.ini (trojan.zeroaccess)detected by virus scanner." Also there are 2 shaded desktop.ini icons on my screen.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP