Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Rootkit - Vista - Credit Card hit :( [Solved]


  • This topic is locked This topic is locked

#1
urbansound

urbansound

    Member

  • Member
  • PipPip
  • 12 posts
Hi,

Thank you in advance for assistance.

System is Toshiba Satelite L3055-S5919
CCleaner and Auslogics defrag
Restore points purged and new taken
AV removed for now, Security Essentials and Sefender available
Windows firewall running local, machine is behind wireless router.

Problem:

Recent hit's on credit cards caused me to suspect the machine to be infected.
Payment processes moved to clean machine and all security renewed at all locations.
Ran several common tools, SAS and MBAM in particular found but ONE tracker only while a few other remedial tools found things SAS and MBAM SHOULD have located.

Suspecting a rootkit may own the AV installs,...

* KernelDetective shows several hidden threads and modified kernel code.
* Hidden module cannot be identified but only by entry point
* Desktop.ini files acting with unusal persistence SFC was unable to alter.

An OTL file is attached for review. I do understand the risk of repairing Rootkit exposures, however this Vista laptop has only a hidden OEM restore partition so gross reinstallation might just as well be comprimised.

Attempt was made to use Sophos Linux AV CD however slax was copied to Windows Root folder and now remains bound there as inaccessable file set. Would be nice to clear that off if possible as well. The slax scan froze at either 4 or 10 minutes in each time, so it has not provided any benefit.

See attached files - (Removed for fresh context)

Thank you,

Urbansound

Attached Files


Edited by urbansound, 26 August 2013 - 07:34 PM.

  • 0

Advertisements


#2
nathdep

nathdep

    Member

  • Member
  • PipPipPip
  • 587 posts
Hello, urbansound and :welcome:

I am nathdep and I will be helping you with your malware problems.

Note: Just to let you know, I am still in the process of training to become a malware expert. I want you to know that I have a teacher who will be reviewing all the fixes that I post here. Thank you for being part of my learning process! :)


Here are some general steps to follow during the malware removal process:


  • Please print these instructions as well as future instructions as you may have to boot in safe mode and will not be able to access this site via the internet. Another solution is saving these instructions by copying and pasting them into notebook and saving the file in a convenient location.
  • Please be patient as the malware removal process could be lengthy, complex, and at times frustrating. Your cooperation throughout the entire process will benefit you as it will expedite your removal time. Please keep this issue in this post and do not post this same issue on a different site. Doing so can be compared to a patient seeing two different doctors. If the two different doctors are not aware of what medication the other doctor is prescribing, the patient could be risking his life. This is synonymous to a computer's health.
  • Please read (and re-read) the instructions entirely as not following the instructions carefully can produce damaging results.
  • Please tell me how your computer is running in the beginning of each post. Tell me both recurring and new
    issues
    as this added information can shed even more light to the problems you are experiencing.

I have to get my first fix approved by my teacher. I will be back ASAP!
  • 0

#3
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Nathdep,

Thank you for responding.

In the interim, I have run Combofix standard process and cleaned up anything it could find straight away, then removed it.

The followup with Kernel Detective still shows the same Kernel code modification and a hidden module but now there's an additional module showing which Asian character set signatures, I suspect is now visible after Combofix. Accordingly I installed a new copy of MBytes with altered name, ran a full scan and Mbytes STILL comes up empty.

At this point, I'm simply cleaning back out any prior av or other tools as typical maintenance until you're ready to go, at which point you'll have a clean start and I'll be certain NOT to make changes without guidance as we proceed. I have several years working on AV beyond typical users and this one has me frankly stumped at my personal limit.

Instruct please as you're ready and thank you again.

Urban
  • 0

#4
nathdep

nathdep

    Member

  • Member
  • PipPipPip
  • 587 posts
Hello again urbansound! :)

NOTE: Please refrain from using ComboFix without guidance. This is a very powerful tool. Misusing it can render your system unusable. Please do not run any tools unless instructed.

Please follow these instructions very carefully:

First, Download the GMER Rootkit Scanner by clicking here. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Next, please post the log that ComboFix generated after you ran it. If you are unsure as to where the log was saved, navigate to C:\ComboFix.txt

In your next post be sure to include:
  • The GMER log
  • The ComboFix log
  • A report on if you experienced any issues while following the above instructions
  • A report on if any issues were solved or created while following the above instructions

  • 0

#5
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

Not sure what happened, I never got notified the last reply came in from you. :(

I'm starting the process shortly. Among the efforts to clean things up several items have been cleared (despite most AV/AS tools not seeing them). Little tricks between safe mode and working with Explorer not running, along with cleaner and regcleaner, (two I've found are safe and reliable).

Last I saw, KernelDetective still finds modified kernel code and at least one hook it's not able to locate as hidden.

That said, most of the scans will be fairly minimal and clean making it easier for you to spot things now.

Back in a bit, thanks again. (I will not process further efforts without specific direction).

Regards,

Urban
  • 0

#6
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,

-Recap, Windows overall is behaving itself but browsing and sometimes system dialog windows have a delay which simply "feels" wrong to me during operations, in many years of using Vista, especially that the system is not taxed doing much of anything during that time.

Updates are current. All scans are new.

Yesterday I opened Performance Monitor from Taskman and CPU went 100% until I killed explorer.

If I modify something in msconfig, the warning to restart on confirmation is never announced.

Desktop.ini files build in as many as 100 folders even with all visual themes turned off.

sfc complains the Desktop.ini files are corrupt and is unable to affect them. I am able to delete these files but they return fairly quickly.

KernelDetective shows modified kernel code, however is no longer indicating hidden drivers / threads.
GIF image of the kernel mode noted is attached at bottom

Thank you again for any direction or suggestions as most all AV/AS are failing to find anything at all. I will wait on further instruction.

Urban

++++++++++++++++++++++++++

Current OTL and Extras logs

OTL logfile created on: 8/26/2013 10:38:07 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Elaine\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 66.65% Memory free
3.98 Gb Paging File | 3.43 Gb Available in Paging File | 86.18% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.37 Gb Total Space | 107.64 Gb Free Space | 76.68% Space Free | Partition Type: NTFS

Computer Name: ELAINE-MOBILE | User Name: Elaine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/26 21:30:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elaine\Desktop\OldTimerLegs.exe
PRC - [2011/06/09 13:01:00 | 000,521,600 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\epson\EpsonCustomerParticipation\EPCP.exe
PRC - [2010/10/12 13:56:40 | 000,979,328 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/04/16 19:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) -- C:\Program Files\Jumpstart\jswpsapi.exe
PRC - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/15 21:54:40 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe


========== Modules (No Company Name) ==========

MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Services (SafeList) ==========

SRV - [2012/07/13 13:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2011/06/09 13:01:00 | 000,521,600 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\epson\EpsonCustomerParticipation\EPCP.exe -- (EpsonCustomerParticipation)
SRV - [2010/05/20 15:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2008/08/04 17:46:22 | 000,046,392 | ---- | M] (TOSHIBA Corporation) [Disabled | Stopped] -- C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2008/07/19 00:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Disabled | Stopped] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/04/17 03:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Disabled | Stopped] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2008/04/16 19:53:00 | 000,954,368 | ---- | M] (Atheros Communications, Inc.) [Auto | Running] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2008/04/15 21:54:42 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/11/21 21:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Disabled | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/10/05 16:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Disabled | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Elaine\AppData\Local\Temp\axrcqpog.sys -- (axrcqpog)
DRV - [2010/06/23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2010/05/20 15:27:24 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2008/07/28 19:53:48 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/07/18 22:52:16 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)
DRV - [2008/04/28 20:59:18 | 000,020,384 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2008/01/18 12:22:00 | 000,009,216 | ---- | M] (Inventec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\sysprep\PEDRV.SYS -- (SVRPEDRV)
DRV - [2007/12/14 15:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/11/09 18:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/04/09 09:50:34 | 000,009,600 | ---- | M] (Waytech Development, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UsbFltr.sys -- (UsbFltr)
DRV - [2006/11/28 19:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 17:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/11/09 02:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10I.sys -- (KR10I)
DRV - [2006/11/09 02:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\KR10N.sys -- (KR10N)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\afc.sys -- (Afc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=TSHB&bmod=TSHB
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{3ED5066F-2E25-4157-8D56-93A3E571B355}: "URL" = http://www.google.co...ng}&rlz=1I7TSHB
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\..\SearchScopes,DefaultScope = {3ED5066F-2E25-4157-8D56-93A3E571B355}
IE - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\..\SearchScopes\{3ED5066F-2E25-4157-8D56-93A3E571B355}: "URL" = http://www.google.co...ng}&rlz=1I7TSHB
IE - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2013/08/25 07:04:41 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000..\Run: [Epson Stylus NX430(Network)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIHBA.EXE (SEIKO EPSON CORPORATION)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1517136145-1328366619-2469452859-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0441260C-897F-4DCB-82D7-345D0A7AF92A}: DhcpNameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0913D5A8-EAAD-4D04-821E-DF2C6404AAB0}: DhcpNameServer = 68.94.156.1 68.94.157.1
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\AutorunsDisabled\skype-ie-addon-data - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/26 21:52:08 | 005,113,393 | ---- | C] (Swearware) -- C:\Users\Elaine\Desktop\KomboFicks.exe
[2013/08/26 21:30:44 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Elaine\Desktop\OldTimerLegs.exe
[2013/08/26 11:26:03 | 000,000,000 | ---D | C] -- C:\Users\Elaine\temp
[2013/08/26 11:04:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
[2013/08/26 08:42:29 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/08/26 08:41:21 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/08/26 08:39:53 | 009,167,352 | ---- | C] (SurfRight B.V.) -- C:\Users\Elaine\Desktop\HitManPro.exe
[2013/08/26 07:56:25 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/08/26 07:34:56 | 001,021,434 | ---- | C] (Thisisu) -- C:\Users\Elaine\Desktop\JRT.exe
[2013/08/26 06:02:18 | 000,000,000 | ---D | C] -- C:\Windows\CheckSur
[2013/08/25 18:14:45 | 000,692,104 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/08/25 18:14:45 | 000,071,048 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/08/25 16:30:13 | 000,000,000 | ---D | C] -- C:\Users\Elaine\Documents\BadReg
[2013/08/25 13:08:26 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/08/25 12:53:27 | 000,000,000 | ---D | C] -- C:\sbav10
[2013/08/25 11:54:05 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/08/25 11:54:05 | 000,162,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2013/08/25 11:54:05 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2013/08/25 11:54:05 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/08/25 11:54:05 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2013/08/25 11:54:05 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/08/25 11:54:05 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/08/25 11:54:05 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2013/08/25 11:54:04 | 003,695,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2013/08/25 11:54:04 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/08/25 11:54:04 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/08/25 11:54:04 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/08/25 11:54:04 | 000,434,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2013/08/25 11:54:04 | 000,367,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2013/08/25 11:54:04 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2013/08/25 11:54:04 | 000,353,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2013/08/25 11:54:04 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/08/25 11:54:04 | 000,223,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2013/08/25 11:54:04 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2013/08/25 11:54:04 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2013/08/25 11:54:04 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/08/25 11:54:04 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2013/08/25 11:54:04 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/08/25 11:54:04 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/08/25 11:54:04 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2013/08/25 11:54:04 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/08/25 11:54:04 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2013/08/25 11:54:03 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/08/25 11:54:03 | 000,227,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2013/08/25 11:54:03 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2013/08/25 11:54:03 | 000,130,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2013/08/25 11:54:03 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2013/08/25 11:54:03 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2013/08/25 11:54:03 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2013/08/25 11:54:03 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2013/08/25 11:54:03 | 000,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2013/08/25 11:54:03 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2013/08/25 11:51:53 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cryptdlg.dll
[2013/08/25 11:33:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2013/08/25 11:32:37 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2013/08/25 07:26:08 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/08/25 07:26:08 | 000,000,000 | ---D | C] -- C:\Users\Elaine\AppData\Local\temp
[2013/08/24 09:26:13 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/08/23 14:05:35 | 000,000,000 | ---D | C] -- C:\Program Files\RegCleaner
[2013/08/23 07:13:21 | 000,000,000 | ---D | C] -- C:\Users\Elaine\Desktop\Kernel Detective v1.4.1
[2013/08/22 09:34:58 | 000,000,000 | ---D | C] -- C:\Program Files\ieSpell
[2013/08/22 08:05:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Auslogics
[2013/08/20 00:57:30 | 000,000,000 | ---D | C] -- C:\RegBackup
[2013/08/19 10:56:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2013/08/19 10:56:09 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/08/18 04:50:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Agent Ransack
[2013/08/17 18:23:23 | 000,000,000 | ---D | C] -- C:\Users\Elaine\Desktop\horde
[2013/08/17 17:53:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\MRT
[2013/08/17 16:17:38 | 000,000,000 | ---D | C] -- C:\Windows\Temp56E49422-C2E8-2BA8-8125-FBD51B514918-Signatures
[2013/08/17 15:08:33 | 000,505,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qedit.dll
[2013/08/17 15:08:33 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2013/08/17 15:07:45 | 000,812,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certutil.exe
[2013/08/17 15:07:45 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\certenc.dll
[2013/08/17 15:07:31 | 001,548,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMVDECOD.DLL
[2013/08/17 15:07:22 | 003,603,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/08/17 15:07:22 | 003,551,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/08/17 15:07:21 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
[2013/08/17 15:06:51 | 002,049,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/08/17 15:06:46 | 000,376,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/08/17 15:06:45 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2013/08/17 15:06:45 | 001,069,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2013/08/17 15:06:45 | 001,029,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2013/08/17 15:06:45 | 000,486,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2013/08/17 15:06:45 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2013/08/17 15:06:45 | 000,189,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2013/08/17 15:06:44 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2013/08/17 15:06:44 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2013/08/17 15:06:43 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printcom.dll
[2013/08/17 15:06:43 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usb8023.sys
[2013/08/17 15:06:40 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2013/08/17 15:06:37 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2013/08/17 15:06:36 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll

========== Files - Modified Within 30 Days ==========

[2013/08/26 22:30:34 | 000,610,166 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/08/26 22:30:34 | 000,106,534 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/08/26 22:24:27 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/08/26 22:24:27 | 000,003,616 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/08/26 22:24:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/08/26 22:03:17 | 000,035,030 | ---- | M] () -- C:\Users\Elaine\Documents\CcRegMods.rar
[2013/08/26 21:55:10 | 000,000,414 | ---- | M] () -- C:\Users\Elaine\Desktop\Rootkit - Vista - Credit Card hit ( - Geeks to Go Forums.website
[2013/08/26 21:52:16 | 005,113,393 | ---- | M] (Swearware) -- C:\Users\Elaine\Desktop\KomboFicks.exe
[2013/08/26 21:35:19 | 000,377,856 | ---- | M] () -- C:\Users\Elaine\Desktop\Gee-mur.exe
[2013/08/26 21:30:44 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elaine\Desktop\OldTimerLegs.exe
[2013/08/26 17:25:12 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013/08/26 17:25:12 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2013/08/26 17:25:12 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2013/08/26 10:04:38 | 000,994,642 | ---- | M] () -- C:\Users\Elaine\Desktop\adwcleaner.exe
[2013/08/26 08:42:02 | 009,167,352 | ---- | M] (SurfRight B.V.) -- C:\Users\Elaine\Desktop\HitManPro.exe
[2013/08/26 07:34:57 | 001,021,434 | ---- | M] (Thisisu) -- C:\Users\Elaine\Desktop\JRT.exe
[2013/08/25 18:56:41 | 000,411,928 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/08/25 18:14:45 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/08/25 18:14:45 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/08/25 13:05:54 | 000,000,000 | ---- | M] () -- C:\Windows\EEventManager.INI
[2013/08/25 12:14:02 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/08/25 12:02:56 | 000,000,914 | ---- | M] () -- C:\Users\Elaine\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/08/25 11:54:12 | 000,008,798 | ---- | M] () -- C:\Windows\System32\was-icrav03.rat
[2013/08/25 11:54:12 | 000,001,988 | ---- | M] () -- C:\Windows\System32\was-ticrf.rat
[2013/08/25 11:54:05 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/08/25 11:54:05 | 000,162,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2013/08/25 11:54:05 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2013/08/25 11:54:05 | 000,086,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/08/25 11:54:05 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2013/08/25 11:54:05 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/08/25 11:54:05 | 000,065,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/08/25 11:54:05 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2013/08/25 11:54:04 | 003,695,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2013/08/25 11:54:04 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/08/25 11:54:04 | 001,427,968 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/08/25 11:54:04 | 000,607,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/08/25 11:54:04 | 000,434,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2013/08/25 11:54:04 | 000,367,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2013/08/25 11:54:04 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2013/08/25 11:54:04 | 000,353,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2013/08/25 11:54:04 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/08/25 11:54:04 | 000,223,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2013/08/25 11:54:04 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2013/08/25 11:54:04 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2013/08/25 11:54:04 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/08/25 11:54:04 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2013/08/25 11:54:04 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/08/25 11:54:04 | 000,074,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/08/25 11:54:04 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2013/08/25 11:54:04 | 000,054,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2013/08/25 11:54:04 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/08/25 11:54:04 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2013/08/25 11:54:03 | 001,800,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/08/25 11:54:03 | 000,227,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2013/08/25 11:54:03 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2013/08/25 11:54:03 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2013/08/25 11:54:03 | 000,118,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2013/08/25 11:54:03 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2013/08/25 11:54:03 | 000,101,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2013/08/25 11:54:03 | 000,041,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2013/08/25 11:54:03 | 000,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2013/08/25 11:54:03 | 000,010,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2013/08/25 11:29:38 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/08/25 07:51:27 | 000,001,084 | ---- | M] () -- C:\Users\Elaine\Documents\axrcqpogExport.reg
[2013/08/25 07:04:41 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/08/24 13:37:51 | 000,032,819 | ---- | M] () -- C:\Users\Elaine\Desktop\places.rar
[2013/08/24 13:19:31 | 000,000,015 | ---- | M] () -- C:\Users\Elaine\Desktop\settings.dat
[2013/08/24 11:25:24 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/08/23 14:05:37 | 000,000,738 | ---- | M] () -- C:\Users\Elaine\Desktop\RegCleaner.lnk
[2013/08/23 11:52:31 | 000,377,856 | ---- | M] () -- C:\Users\Elaine\Desktop\z5n0usqe.exe
[2013/08/22 05:52:10 | 000,039,118 | ---- | M] () -- C:\Users\Elaine\Desktop\DocumentsEMLs.rar
[2013/08/22 05:08:42 | 000,219,870 | ---- | M] () -- C:\Users\Elaine\Desktop\bookmarks.html
[2013/08/22 05:02:51 | 000,019,890 | ---- | M] () -- C:\Users\Elaine\Desktop\password-export-2013-08-22.csv
[2013/08/20 01:11:27 | 000,000,855 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts_bak_212
[2013/08/20 00:58:24 | 000,000,207 | ---- | M] () -- C:\Windows\tweaking.com-regbackup-ELAINE-MOBILE-Microsoft®-Windows-Vista™-Home-Basic-(32-bit).dat
[2013/08/20 00:44:27 | 000,447,726 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts_bak_764
[2013/08/19 13:13:04 | 000,000,680 | ---- | M] () -- C:\Users\Elaine\AppData\Local\d3d9caps.dat
[2013/08/19 10:56:15 | 000,001,923 | ---- | M] () -- C:\Users\Elaine\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2013/08/18 10:37:33 | 409,793,608 | ---- | M] () -- C:\Users\Elaine\Desktop\Kodak_1.rar
[2013/08/18 10:28:06 | 000,000,145 | ---- | M] () -- C:\Users\Elaine\Desktop\CD Drive.lnk

========== Files Created - No Company Name ==========

[2013/08/26 21:55:10 | 000,000,414 | ---- | C] () -- C:\Users\Elaine\Desktop\Rootkit - Vista - Credit Card hit ( - Geeks to Go Forums.website
[2013/08/26 10:04:37 | 000,994,642 | ---- | C] () -- C:\Users\Elaine\Desktop\adwcleaner.exe
[2013/08/25 13:05:54 | 000,000,000 | ---- | C] () -- C:\Windows\EEventManager.INI
[2013/08/25 11:54:04 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2013/08/25 07:51:27 | 000,001,084 | ---- | C] () -- C:\Users\Elaine\Documents\axrcqpogExport.reg
[2013/08/24 10:54:00 | 000,000,015 | ---- | C] () -- C:\Users\Elaine\Desktop\settings.dat
[2013/08/23 14:05:37 | 000,000,738 | ---- | C] () -- C:\Users\Elaine\Desktop\RegCleaner.lnk
[2013/08/23 11:52:28 | 000,377,856 | ---- | C] () -- C:\Users\Elaine\Desktop\z5n0usqe.exe
[2013/08/23 04:23:17 | 000,032,819 | ---- | C] () -- C:\Users\Elaine\Desktop\places.rar
[2013/08/22 06:37:25 | 000,000,914 | ---- | C] () -- C:\Users\Elaine\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/08/22 06:09:55 | 000,035,030 | ---- | C] () -- C:\Users\Elaine\Documents\CcRegMods.rar
[2013/08/22 05:52:10 | 000,039,118 | ---- | C] () -- C:\Users\Elaine\Desktop\DocumentsEMLs.rar
[2013/08/22 05:08:42 | 000,219,870 | ---- | C] () -- C:\Users\Elaine\Desktop\bookmarks.html
[2013/08/22 05:02:51 | 000,019,890 | ---- | C] () -- C:\Users\Elaine\Desktop\password-export-2013-08-22.csv
[2013/08/20 00:58:24 | 000,000,207 | ---- | C] () -- C:\Windows\tweaking.com-regbackup-ELAINE-MOBILE-Microsoft®-Windows-Vista™-Home-Basic-(32-bit).dat
[2013/08/19 10:56:15 | 000,001,923 | ---- | C] () -- C:\Users\Elaine\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2013/08/19 09:16:21 | 000,000,680 | ---- | C] () -- C:\Users\Elaine\AppData\Local\d3d9caps.dat
[2013/08/18 10:33:08 | 409,793,608 | ---- | C] () -- C:\Users\Elaine\Desktop\Kodak_1.rar
[2013/08/18 10:28:06 | 000,000,145 | ---- | C] () -- C:\Users\Elaine\Desktop\CD Drive.lnk
[2012/09/23 16:35:12 | 000,097,070 | ---- | C] () -- C:\Users\Elaine\RX request Silverscript.pdf
[2012/07/20 12:02:29 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2012/03/31 21:06:12 | 000,000,071 | ---- | C] () -- C:\Windows\ENX430.ini
[2010/09/30 04:31:34 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/05/15 20:14:54 | 000,202,910 | ---- | C] () -- C:\Users\Elaine\printable.pdf
[2010/05/08 21:54:17 | 000,280,521 | ---- | C] () -- C:\Users\Elaine\IMG010 july 2009.jpg
[2009/08/10 18:15:10 | 000,004,916 | ---- | C] () -- C:\Users\Elaine\Elaine's Calendar.ics
[2009/06/03 13:01:28 | 000,119,911 | ---- | C] () -- C:\Users\Elaine\kodak caera.htm
[2009/05/21 16:55:45 | 000,000,218 | ---- | C] () -- C:\Users\Elaine\.recently-used.xbel
[2009/05/19 11:45:25 | 000,026,340 | ---- | C] () -- C:\Users\Elaine\AppData\Roaming\UserTile.png
[2009/05/11 09:44:12 | 000,004,608 | ---- | C] () -- C:\Users\Elaine\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/04 09:34:05 | 000,620,737 | ---- | C] () -- C:\Users\Elaine\sielski address.xps
[2009/04/18 15:17:07 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011/09/07 16:40:45 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Temp
[2011/09/07 16:40:45 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Temp
[2013/04/18 10:42:05 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\.purple
[2013/05/25 08:44:03 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Auslogics
[2011/06/04 17:48:11 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Canneverbe Limited
[2009/04/30 22:07:54 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2012/04/16 05:14:54 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\EPSON
[2009/05/23 09:53:10 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\gtk-2.0
[2012/03/31 21:24:28 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Leadertech
[2009/04/18 17:13:19 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\OpenOffice.org
[2009/05/19 11:45:25 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\PeerNetworking
[2010/05/16 13:00:27 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\School Zone Preferences
[2009/07/22 16:37:26 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Skinux
[2011/08/02 13:32:28 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\Temp
[2010/12/29 13:03:51 | 000,000,000 | ---D | M] -- C:\Users\Elaine\AppData\Roaming\TOSHIBA

========== Purity Check ==========

< End of report >

++++++++++++++++++++++++
OTL Extras Log

OTL Extras logfile created on: 8/26/2013 10:38:07 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Elaine\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 66.65% Memory free
3.98 Gb Paging File | 3.43 Gb Available in Paging File | 86.18% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.37 Gb Total Space | 107.64 Gb Free Space | 76.68% Space Free | Partition Type: NTFS

Computer Name: ELAINE-MOBILE | User Name: Elaine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1517136145-1328366619-2469452859-1000\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
https [open] -- Reg Error: Value error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{048EC4B1-7B9B-437D-ACD9-6F0C3128D682}" = rport=138 | protocol=17 | dir=out | app=system |
"{07B3A3AB-FB3E-4659-8D57-82124F8CB6EC}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=c:\windows\system32\svchost.exe |
"{08757F79-CF67-41CB-90A9-9CEF85220A5F}" = rport=139 | protocol=6 | dir=out | app=system |
"{0C170C9F-D1D5-4999-8F47-9B4FA8939F07}" = rport=138 | protocol=17 | dir=out | app=system |
"{1497B2A1-F358-4AD0-98CA-14A6400057F0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{23B9D20F-A35C-4D8B-97FB-B76C28C00EEE}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=c:\windows\system32\svchost.exe |
"{26D403DE-28DB-4E27-AE2B-462A30A22975}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=c:\windows\system32\svchost.exe |
"{28672E24-FCE1-4E78-B5A3-FA0E9B5970BB}" = lport=137 | protocol=17 | dir=in | app=system |
"{291100C0-657C-4F51-8AEC-8A12C100D6A9}" = lport=139 | protocol=6 | dir=in | app=system |
"{2B213D14-A65C-46B6-B066-6C1B7843C635}" = lport=138 | protocol=17 | dir=in | app=system |
"{2C0E35E9-8603-4C12-8013-C2158DD4AE0B}" = rport=2178 | protocol=6 | dir=out | app=system |
"{2E02E9DA-D954-4502-8331-E95B17684843}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{33C66829-C6AD-4344-A88E-181D17BA9955}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{4793C110-8CF8-4ACB-AD84-B91C1251DEA3}" = lport=rpc | protocol=6 | dir=in | svc=bits | app=c:\windows\system32\svchost.exe |
"{496CF423-FB8D-46B0-A63C-7B49312EC362}" = lport=137 | protocol=17 | dir=in | app=system |
"{56A078DA-1613-4B7B-9D42-B77B468B0271}" = lport=138 | protocol=17 | dir=in | app=system |
"{598093D0-0C1F-4E46-988F-1FF1E03A10D3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{64598B71-453E-4216-87DF-A83834538551}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |
"{69FA9359-4FD6-4D79-94A4-4114EDA3DB7D}" = lport=139 | protocol=6 | dir=in | app=system |
"{6BCE735C-FDCD-4F04-BE00-F711DD8220CC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | app=c:\windows\system32\svchost.exe |
"{70CF4561-E1B3-4FBA-B14C-90523A30E461}" = rport=445 | protocol=6 | dir=out | app=system |
"{712F4A9E-F0E0-40FB-B5B1-BC15F197C1DE}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=c:\windows\system32\svchost.exe |
"{9D7B2F75-B8B5-4360-9E8A-B7784FD47C76}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=c:\windows\system32\svchost.exe |
"{AE1EBFCD-3117-4EB4-BDCE-313F967BFDDE}" = rport=137 | protocol=17 | dir=out | app=system |
"{B0876D9D-E395-48CA-957F-0DA589E6A2EA}" = lport=2178 | protocol=6 | dir=in | app=system |
"{BDF430FD-B21A-4D1C-885C-5555463D2AED}" = lport=445 | protocol=6 | dir=in | app=system |
"{CCAA52BD-24E1-4A95-9127-0D17E266745F}" = rport=3702 | protocol=17 | dir=out | svc=bits | app=c:\windows\system32\svchost.exe |
"{D052FA64-BD13-4E72-A7DC-02B369C0F6E2}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=c:\windows\system32\svchost.exe |
"{DA546AB9-3098-4805-A138-E77E85AD1612}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{DBE192F6-82F1-47C2-ACF1-236A2B8A6C09}" = lport=445 | protocol=6 | dir=in | app=system |
"{E34EC087-AFDC-4972-9E2D-D49D2F2C3112}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=c:\windows\system32\svchost.exe |
"{E7FF86EA-4CBE-47CA-8EDA-8FCD12F9B858}" = lport=445 | protocol=6 | dir=in | app=system |
"{E9103A89-AAC8-4E00-AB02-426E7DA90217}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{EF865607-324A-4F83-A40E-B1FA6DB570CE}" = rport=139 | protocol=6 | dir=out | app=system |
"{FAAF4AF5-D422-4BE2-BA36-68C5EC66FE4F}" = lport=3702 | protocol=17 | dir=in | svc=bits | app=c:\windows\system32\svchost.exe |
"{FB6DCBE7-5432-4CB9-ACCB-AAF7F0900C09}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{13352222-CB9A-4F74-B0B2-1ED6BD48139B}" = protocol=58 | dir=out | [email protected],-28546 |
"{146244C0-7EE2-483B-AAC5-3C0839F84B34}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{305EC359-68AA-49AC-ADEB-D564833079E6}" = protocol=6 | dir=in | app=d:\common\epsonnet setup\eneasyapp.exe |
"{30B506CD-8DE3-4244-A281-F169F8955DED}" = protocol=17 | dir=in | app=d:\common\epsonnet setup\eneasyapp.exe |
"{50471EF0-85BF-483A-9FDC-02491ED5293B}" = protocol=6 | dir=out | svc=upnphost | app=c:\windows\system32\svchost.exe |
"{6FFD73E5-A029-4EC2-AD3C-B7A38BF62F27}" = protocol=1 | dir=out | [email protected],-28544 |
"{84A6B385-7143-42FC-8CE0-893372F40F71}" = protocol=58 | dir=in | [email protected],-28545 |
"{978FF5E1-696B-43E6-8505-F1E673AFE82F}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{AFCCC331-A346-41AD-98A5-612AAFF4A886}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{D5D2C593-7C37-4852-8635-C9460666493D}" = protocol=1 | dir=in | [email protected],-28543 |
"{DC1FFDCC-A8DD-4B2D-BAEE-DD114E4AA1A7}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{E7074F5B-8276-4AC7-9929-D6AB7596F632}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"TCP Query User{7E08A3FC-2A4A-4BD3-B189-695A9D670B27}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=6 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
"TCP Query User{F2362FBC-F09D-413A-B688-C7FD0790A911}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=6 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
"UDP Query User{003B7DF8-2C00-4D67-9647-96021F2BE154}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=17 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |
"UDP Query User{48C4281A-63F4-47A3-8151-8C679F73CEC5}C:\program files\epson software\event manager\eeventmanager.exe" = protocol=17 | dir=in | app=c:\program files\epson software\event manager\eeventmanager.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}" = TOSHIBA ConfigFree
"{10F63395-157F-4B93-AB4D-702A2FF11942}" = Epson Download Navigator
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13CD417D-F1F1-4AC4-945D-FDDEB884756F}" = Microsoft Baseline Security Analyzer 2.2
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2883F6F5-0509-43F3-868C-D50330DD9DD3}" = TOSHIBA Hardware Setup
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{47609E69-4C5E-48B1-A889-24C6B82B5C04}" = Vista Shortcut Manager
"{4B1E87C3-00DE-4898-8E39-E390AAEF2391}" = TOSHIBA Supervisor Password
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{64BA551C-9AF6-495C-93F3-D1270E0045FC}" = Epson Connect
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{814FA673-A085-403C-9545-747FC1495069}" = Epson Customer Participation
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8ED43F7E-A8F6-4898-AF11-B6158F2EDF94}" = Epson Event Manager
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{91AFB04F-0A10-4E0C-858B-DF1C1D61EB0A}" = ArcSoft TotalMedia Extreme
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}" = Atheros Wi-Fi Protected Setup Library
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E1E56B8A-1AAF-422A-91DB-625059FB9863}" = TOSHIBA Desktop Links
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Agent Ransack_is1" = Agent Ransack 2010
"Anti-Spy.Info" = Anti-Spy.Info 1.7h
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"CCleaner" = CCleaner
"EPSON NX430 Series" = EPSON NX430 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"Fotosizer" = Fotosizer 1.31
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HitmanPro37" = HitmanPro 3.7
"ieSpell" = ieSpell
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"KLiteCodecPack_is1" = K-Lite Codec Pack 7.0.0 (Standard)
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"PDF Creator" = PDF Creator
"PhotoFiltre" = PhotoFiltre
"Pidgin" = Pidgin
"Revo Uninstaller" = Revo Uninstaller 1.94
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Tweaking.com - Windows Repair (All in One)" = Tweaking.com - Windows Repair (All in One)
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinRAR archiver" = WinRAR archiver

========== Last 20 Event Log Errors ==========

[ System Events ]
Error - 8/26/2013 10:24:22 PM | Computer Name = Elaine-mobile | Source = Service Control Manager | ID = 7001
Description =

Error - 8/26/2013 10:24:22 PM | Computer Name = Elaine-mobile | Source = Service Control Manager | ID = 7001
Description =

< End of report >

++++++++++++++++++

Gmer log (run as default brief output only, with options instructed)

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-08-27 01:05:04
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0 149.05GB
Running: Gee-mur.exe; Driver: C:\Users\Elaine\AppData\Local\Temp\axrcqpog.sys


---- Kernel code sections - GMER 2.1 ----

.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88154480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x88195900, 0x3CA, 0x48000040]

---- User IAT/EAT - GMER 2.1 ----

IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74B77817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74BBB4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74B7BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74B6F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74B775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74B6E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74BA73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74B7DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74B6FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74B6FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74B671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74BFCB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74B9C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74B6D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74B66853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74B6687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll
IAT C:\Windows\Explorer.EXE[1896] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74B72AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys

---- EOF - GMER 2.1 ----

++++++++++++++

ComboFix Log


ComboFix 13-08-25.01 - Elaine 08/27/2013 1:07.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.1142 [GMT -4:00]
Running from: c:\users\Elaine\Desktop\KomboFicks.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-07-27 to 2013-08-27 )))))))))))))))))))))))))))))))
.
.
2013-08-27 05:12 . 2013-08-27 05:12 -------- d-----w- c:\users\Elaine\AppData\Local\temp
2013-08-27 05:12 . 2013-08-27 05:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-26 15:26 . 2013-08-26 15:26 -------- d-----w- c:\users\Elaine\temp
2013-08-26 12:42 . 2013-08-26 15:08 -------- d-----w- c:\program files\HitmanPro
2013-08-26 12:41 . 2013-08-26 15:03 -------- d-----w- c:\programdata\HitmanPro
2013-08-26 11:56 . 2013-08-26 11:56 -------- d-----w- c:\windows\ERUNT
2013-08-26 10:02 . 2013-08-26 10:02 -------- d-----w- c:\windows\CheckSur
2013-08-25 22:14 . 2013-08-25 22:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-25 22:14 . 2013-08-25 22:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-25 16:53 . 2013-08-25 16:57 -------- d-----w- C:\sbav10
2013-08-25 15:51 . 2013-04-17 12:30 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-08-25 15:33 . 2013-08-25 22:57 -------- d-----w- c:\windows\system32\catroot2
2013-08-24 13:26 . 2013-08-25 15:29 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-08-23 18:05 . 2013-08-23 18:20 -------- d-----w- c:\program files\RegCleaner
2013-08-22 13:34 . 2013-08-22 13:34 -------- d-----w- c:\program files\ieSpell
2013-08-22 12:05 . 2013-08-22 12:05 -------- d-----w- c:\programdata\Auslogics
2013-08-22 05:31 . 2013-07-15 07:34 7143960 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{39A0A96D-F15F-46B1-8E11-E59244CD2BFC}\mpengine.dll
2013-08-20 04:57 . 2013-08-20 04:57 -------- d-----w- C:\RegBackup
2013-08-19 14:56 . 2013-08-19 14:56 -------- d-----w- c:\program files\Tweaking.com
2013-08-17 21:53 . 2013-08-17 21:55 -------- d-----w- c:\windows\system32\MRT
2013-08-17 20:17 . 2013-08-17 20:17 -------- d-----w- c:\windows\Temp56E49422-C2E8-2BA8-8125-FBD51B514918-Signatures
2013-08-17 19:08 . 2012-11-02 10:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-08-17 19:08 . 2013-06-01 04:06 505344 ----a-w- c:\windows\system32\qedit.dll
2013-08-17 19:08 . 2012-11-20 04:22 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-08-17 19:07 . 2013-07-29 22:13 300544 ----a-w- c:\program files\Internet Explorer\ieuser.exe
2013-08-17 19:07 . 2013-04-24 04:00 41984 ----a-w- c:\windows\system32\certenc.dll
2013-08-17 19:07 . 2013-04-24 01:46 812544 ----a-w- c:\windows\system32\certutil.exe
2013-08-17 19:07 . 2013-05-08 04:04 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-17 19:07 . 2013-07-05 03:20 914880 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-17 19:07 . 2013-07-05 01:43 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2013-08-17 19:07 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-17 19:07 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-17 19:07 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-17 19:07 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-08-17 19:07 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-08-17 19:01 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-17 19:01 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-17 19:01 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-17 19:01 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-26 21:25 . 2011-06-04 18:51 2 --shatr- c:\windows\winstart.bat
2013-07-30 04:29 . 2013-08-17 19:07 53760 ----a-w- c:\windows\apppatch\iebrshim.dll
2013-06-12 02:14 . 2013-06-12 02:14 9089416 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kernel Detective.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 19:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 23:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2008-08-04 21:46 1242424 ----a-w- c:\program files\Toshiba\TOSHIBA Service Station\TSS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sidebar"=c:\program files\Windows Sidebar\sidebar.exe /autoRun
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"TOSCDSPD"=TOSCDSPD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NDSTray.exe"=NDSTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - axrcqpog
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
rsmsvcs REG_MULTI_SZ ntmssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-25236822.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-27 01:12
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-08-27 01:13:49
ComboFix-quarantined-files.txt 2013-08-27 05:13
.
Pre-Run: 115,417,096,192 bytes free
Post-Run: 115,369,836,544 bytes free
.
- - End Of File - - 88F78EEAB948EE85D4C2D14D4C13AD85
5B5E648D12FCADC244C1EC30318E1EB9

======== End logs this posting ===========

KernelDetective image of kernel modifications below

KDKernelMod.gif

Edited by urbansound, 27 August 2013 - 04:09 AM.

  • 0

#7
nathdep

nathdep

    Member

  • Member
  • PipPipPip
  • 587 posts
Hello again!

First, You will need to run AVP Tool by Kaspersky to see if that detects any problems:

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the License agreement and click on next
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


Leave the rest of the settings as they appear as default.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then choose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.



In your next post be sure to include:
  • The report from AVP tool
  • A report on if you experienced any issues while following the above instructions
  • A report on if any issues were solved or created while following the above instructions

  • 0

#8
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you,

The scan is running now in safe mode, estimating 3 hours to complete on highest paranoia / deep scan, options as indicated.

Urban
  • 0

#9
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
In the interim while the scan is happening, (so far no detections), do you know or can you ask around if anyone knows if SFC should be able to correct desktop.ini files? I understand their purpose and I know they will repopulate, but with themes turned off there should be fairly few of them and I can't find any information why SFC would identify them as corrupt or be unable to correct them, UNLESS recent MS patches are securing these to one of the hidden, hooked processes to protect them possibly. I see 90-100 of them repopulate not long after I delete them, 5 of them immediately after.

Also, the other Vista machine I have shows the exact same kernel code modification in KernelDetective and passed the external Kaspersky rescue Linux fully last night, so I'm thinking this kernal mod may be intentional.

Thanks, more as the scan completes,

Urban

Edited by urbansound, 28 August 2013 - 01:55 PM.

  • 0

#10
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok,

The scans are below.

I can remove ssvnc and pidgin if you like. I know why it posted these as pups. The others I'm unsure of, but I'll wait on removal of all of them, in case you want me to do so in a specific manner.

Also Kaspersky failed the cleanup on restart indicating it could not rename kl1 and requested a restart. After the second restart it failed on the same error again so we may need to track down the Kl1 reference. It is a Kas file if I recall.

Let me know please,

Urban

Kaspersky-1 scan results follow:

Status: Vulnerability (events: 7)
8/28/2013 1:57:47 PM Vulnerability vulnerability http://www.securelis...dvisories/52178 c:\Program Files\Pidgin\pidgin.exe Low
8/28/2013 1:59:40 PM Vulnerability vulnerability http://www.securelis...dvisories/31949 c:\program files\cdburnerxp\cdbxpp.exe Low
8/28/2013 2:00:03 PM Vulnerability vulnerability http://www.securelis...dvisories/52178 c:\program files\Pidgin\pidgin.exe Low
8/28/2013 2:00:50 PM Vulnerability vulnerability http://www.securelis...dvisories/31949 C:\Program Files\CDBurnerXP\cdbxpp.exe Low
8/28/2013 2:06:22 PM Vulnerability vulnerability http://www.securelis...dvisories/52178 C:\Program Files\Pidgin\pidgin.exe Low
8/28/2013 2:37:48 PM Vulnerability vulnerability http://www.securelis...dvisories/54354 C:\Users\Public\Downloads\ssvnc\util\putty.exe Low
8/28/2013 3:04:32 PM Vulnerability vulnerability http://www.securelis...en/advisories/0 C:\Windows\System32\msxml4.dll Low
  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi nathdep is unavailable for a day or so. I will jump in :)

I will need one further scan with AVP to look a bit deeper, this will not take long as it is just analysing for me

Run the AVP tool again


Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button

Posted Image

Once it has completed then click Step 2 Report sending
Posted Image

Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached
  • 0

#12
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you EssexBoy,

Please note, the PUP's identified on the previous scan have been deleted.

Also, I have had to return the system to limited use for my wife and have reinstalled MS Essentials running real-time mode and Comodo Dragon in pesimistic or paranoid configuration.

Unless past or future scans show some malware or bad setup exposures, we remain trying to learn why the desktop.ini files are shown corrupted under SFC examination with SFC complaining it cannot resolve them. Otherwise the system appears to be running well. I also continue to note changes made in msconfig do not result in the normal "restart" warning dialog which is a "stealth" exposure possibly.

The information scans you requested are attached.

Thank you again,

Urban

Attached Files


  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nothing untoward showing in the analysis, you can delete the desktop ini and windows will recreate a new one although any customisations you have done to the folder will be lost

Not yet sure about the MSConfig lack of warning ... Will check that out

Otherwise how is the system behaving ?
  • 0

#14
urbansound

urbansound

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks again,

Odd, once again I got no email notification of the last reply, yet I am subscribed for notification. ??? shrug.

I understand the desktop.ini reproduction by design, however with themes turned off and given no activity to folders calling for themes updating, it strikes me odd that 90 some of them will accumulate in a couple of hours. Once again, the concern I'm finding is that SFC detects them as "corrupted" and states it's unable to repair them. Have you ever seen this failure mode documented elsewhere as being normal? I find reference to others having seen it on systems, but nothing definitive regarding SFC and desktop.ini typically conflicting.

I've tried Slax based external scanning, but this laptop for some reason refuses to read all forms of Linux access on CD, so far refusing to let me run either Kas or Sophos external virus scanning from CD. Maybe a knoppix method would work if you know of one out there with decent Linux portable external capability?

Otherwise, generally speaking the system seems to be working crisp
, (which is exactly how a well devised rootkit keylogger and hidden server would be designed for stealth operation, especially if it can avoid detection by common resident methods). If it managed to compile to the OS, signature and checksum testing could be futile internally, even if an original dropper previously owned a place in the MBR to seed the rootkit, long since corrected in the MBR during past scans, possibly. (sounds paranoid, I know).

I'm starting to wonder if the only way to solve this is to run a syslog detection system on the router traffic and spend my life forever analyzing false alarms. :~|

I don't mind doing some work, but having a system behave off-spec for reasons I cannot locate makes me nervous all the same, so I'm open to additional ideas you might have.

Urban
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets check outside of windows :) ini files are usually thrown up by SFC as corrupt and I tend to ignore them

Create an emergency repair USB drive:
Download Dr Web Live USB to your desktop
  • Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
  • Launch drwebliveusb.exe.
  • The program will detect available USB-devices automatically and prompt you to choose the one you’d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).
    Posted Image
  • To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
  • Files will be copied automatically.
  • Once the copying process is completed, press the Exit button to close the application.
  • Reboot the infected computer with the USB in the drive
  • Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
  • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

    Posted Image
  • Use arrow keys to select DrWeb-LiveCD (Default)

    Posted Image
  • Press select objects for scanning

    Posted Image
  • When the system is loaded, check the disks or folders you want to scan, and click on Start.
  • The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
    Posted Image
  • When it has completed

    Posted Image
  • Select Open Report and copy to the USB
  • Once completed reboot to normal windows, and attach the report here

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP