Jump to content

Not so Happili Redirected-- audiodev32.dll TrojanDownloader Win32/Tracur


Recommended Posts

Allright, so I just closed the combofix window and looked for the log anyways. I found the following file in C:\ComboFix\ComboFix.txt.

I also figured out I should have switched screensaver off at the moment I saw the black screen in front of me. Would have saved me a nearly heartattack and gave us a completed Combofix. I guess I just checked on the progress when the log file was being created. That being said, shal I reboot the computer? At least I could just close the combofix window and open IE.

ComboFix 12-05-01.02 - Carl 05/01/2012 13:16:57.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3034.1723 [GMT -4:00]

Running from: C:\Users\Carl\Desktop\ComboFix.exe

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Install.exe

C:\ProgramData\Roaming

C:\Users\Carl\AppData\Local\Google\Adobe\ihkpbqo.dll

((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))

2012-05-01 17:26:03 . 2012-05-01 17:26:03 -------- d-----w- C:\Users\Default\AppData\Local\temp

2012-04-29 14:36:06 . 2012-04-29 14:36:36 -------- d-----w- C:\Program Files\ERUNT

2012-04-24 19:27:25 . 2012-04-24 19:27:43 -------- d-----w- C:\Program Files\Microsoft LifeCam

2012-04-24 19:27:14 . 2009-09-04 21:29:32 1974616 ----a-w- C:\Windows\system32\D3DCompiler_42.dll

2012-04-24 19:27:14 . 2009-09-04 21:29:30 1892184 ----a-w- C:\Windows\system32\D3DX9_42.dll

2012-04-18 18:23:01 . 2012-04-18 18:23:01 -------- d-----w- C:\Program Files\Common Files\Skype

2012-04-15 13:14:27 . 2012-04-15 13:14:27 418464 ----a-w- C:\Windows\system32\FlashPlayerApp.exe

2012-04-14 20:01:14 . 2012-04-14 20:01:14 -------- d-----w- C:\Program Files\Research In Motion Limited

2012-04-11 12:39:56 . 2012-04-11 12:39:56 -------- d-----w- C:\Users\Default\AppData\Local\Microsoft Help

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-04-15 13:14:27 . 2011-06-01 12:09:12 70304 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56:40 . 2011-06-19 10:53:29 22344 ----a-w- C:\Windows\system32\drivers\mbam.sys

2012-02-23 14:18:36 . 2009-10-04 19:51:12 237072 ------w- C:\Windows\system32\MpSigStub.exe

2012-02-14 16:09:44 . 2012-02-14 16:09:44 1070352 ----a-w- C:\Windows\system32\MSCOMCTL.OCX

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 06:57:23 39408]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-07-03 05:52:21 135680]

"Octoshape Streaming Services"="C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 13:44:06 70936]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 02:25:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="C:\Windows\system32\thpsrv" [X]

"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2009-03-13 21:02:50 150040]

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2009-03-13 21:02:38 178712]

"Persistence"="C:\Windows\system32\igfxpers.exe" [2009-03-13 21:02:46 154136]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2009-04-03 01:51:44 233472]

"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-06 21:54:14 7440928]

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-09 21:23:04 191552]

"TWebCamera"="C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-04-17 01:42:54 2513472]

"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 01:29:04 468320]

"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2009-03-09 22:51:46 55160]

"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 21:34:24 448376]

"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 17:50:40 729088]

"Teco"="C:\Program Files\TOSHIBA\TECO\Teco.exe" [2009-04-24 18:40:08 1323008]

"coreworks"="C:\Program Files\TOSHIBA WWAN Manager\bin\gbxapp.exe" [2009-06-09 02:19:52 637416]

"SmartFaceVWatcher"="C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 02:33:42 163840]

"NDSTray.exe"="C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 05:26:42 299008]

"cfFncEnabler.exe"="C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 20:53:40 16384]

"TANU"="C:\Program Files\TOSHIBA\TANU\TANU.exe" [2009-03-28 19:30:44 263560]

"TUSBSleepChargeSrv"="C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-28 04:40:46 252288]

"TosSENotify"="C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 03:01:24 1011712]

"PCMAgent"="C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2009-02-17 00:09:36 143360]

"CLMLServer"="C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2009-02-17 00:09:44 196608]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 22:58:10 37296]

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 04:59:06 937920]

"RIMBBLaunchAgent.exe"="C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 15:47:12 79192]

"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 01:28:32 59240]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2011-10-24 19:28:52 421888]

"PDFPrint"="C:\Program Files\pdf24\pdf24.exe" [2011-12-16 17:54:22 220744]

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 18:06:06 254696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2012-03-06 23:05:34 421736]

"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 12:56:50 258512]

"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 19:27:24 119152]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Secunia PSI Tray.lnk - C:\Program Files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\google\google~3\goec62~1.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 13:14:27 253088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Contents of the 'Scheduled Tasks' folder

2012-05-01 C:\Windows\Tasks\Adobe Flash Player Updater.job

- C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 13:14:27 . 2012-04-15 13:14:27]

2012-05-01 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-02 01:50:29 . 2010-02-02 01:50:22]

2012-05-01 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-02 01:50:29 . 2010-02-02 01:50:22]

------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2CE2B1B3-C808-42AE-BE4D-50F976A14FCF}: NameServer = 172.24.24.10

- - - - ORPHANS REMOVED - - - -

BHO-{17DD4CCF-48AC-481F-A8A9-8B65774437F7} - C:\Windows\system32\audiodev32.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Adobe - C:\Users\Carl\AppData\Local\Google\Adobe\ihkpbqo.dll

Link to post
Share on other sites

  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

shal I reboot the computer? At least I could just close the combofix window and open IE.

If it has not rebooted, then Restart Windows fresh.

Do NOT run the ESET online scan (not yet). Turn off the screensaver option until after we are all finished with this case.

Tell me if you know how to ZIP a file. I'd like to see if you could email to me a file or two.

Link to post
Share on other sites

Since you had an indication of an Alureon infection recently, I need to make you aware

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

Then a new run with an Updated MBAM:

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with a copy of contents of MBAM scan log.

Link to post
Share on other sites

Here is the MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.02.02

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.19088

Carl :: CARL-NOTEBOOK [administrator]

5/2/2012 8:06:36 AM

mbam-log-2012-05-02 (08-06-36).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 350038

Time elapsed: 2 hour(s), 14 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.Sefnit.Hap) -> Data: rundll32.exe "C:\Users\Carl\AppData\Local\Google\Adobe\ihkpbqo.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Qoobox\Quarantine\C\Users\Carl\AppData\Local\Google\Adobe\ihkpbqo.dll.vir (Trojan.Tracur) -> Quarantined and deleted successfully.

C:\Users\Carl\AppData\Local\Google\Adobe\xyqwy.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

The MBAM run did do a fine job, but it also found 1 new trojan (removed).

As a follow-up, I'd like for you to do an online scan at ESET (this is the run I intended earlier & put aside).

I need for you to verify that any screensaver setting is set to OFF.

I also need for you, IF your pc is a laptop.notebook, to make sure it is connect to wall-power. So we don't got to worry about low battery power.

I expect the scan may take around 1.5 to 2 hours.

Close and save any open documents/files. Do NOT use the system for anything else other than this scan.

You will want to print out or copy these instructions to Notepad for offline reference!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Close all open browsers at this point.

Start Internet Explorer (fresh) by pressing Start >> Internet Explorer >> Right-Click and select Run As Administrator.

Using Internet Explorer browser only, go to ESET Online Scanner website:

http://www.eset.com/onlinescan/

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files (x86)\Eset\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://go.eset.com/u...ine-scanner/faq

    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.
    • Do not use the system while the scan is running. Once the full scan is underway, go take a long break

When all done:

Re-enable the antivirus program.

Reply with copy of the Eset scan log

Link to post
Share on other sites

In the ESET log file I could only see the following text:

as CAB hook log:

OnlineScanner.ocx - registred OK

I don't know if you can do something with that? I still have the results window open, shall I copy what is in there? 1 infected file was found and cleaned, the threat was called win32/Boaxxe.C trojan.

Also, is it advisable to check the boxes "Uninstall application on close" and/or "Delete quarantined files"?

Link to post
Share on other sites

So lots of, ehm, "interesting" things happened after the ESET scan.

I decided to write the results to a textfile:

C:\Users\Carl\AppData\Roaming\Avira\Avira\hqsysrld.dll Win32/Boaxxe.C trojan cleaned by deleting - quarantined

Then I checked both boxes "Uninstall application on close" and "Delete quarantined files" and closed ESET, as I wanted to shut down the computer. Being tired, I did forget to enable Avira before shutting down.

When Starting up the computer this morning, I received the message that the computer could not start up due to recent hard/software changes. So I chose startup repair and restore, after which the computer did start up.

Then the following message popped up: Error loading ihkpbqo.dll. Access is denied. This is already the second time I see this message btw,just thought the last time that that was normal after scanning and removing malware.

I also got the "Windows had recovered from an unexpected shutdown" window with the following problem details:

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6001.2.1.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: f4

BCP1: 00000003

BCP2: 8915C830

BCP3: 8915C97C

BCP4: 824717E0

OS Version: 6_0_6001

Service Pack: 1_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini050312-01.dmp

C:\Users\Carl\AppData\Local\Temp\WER-84661-0.sysdata.xml

C:\Users\Carl\AppData\Local\Temp\WER88FD.tmp.version.txt

And then last but bot least, there was also an Avira warning saying that a virus/unwated program was found, named TR/Trash.Gen in file C:USers\Carl\ AppData\Google\...\ihkpbqo.dll

The only action I could choose was move to quarantine, which I did.

Link to post
Share on other sites

It appears that by doing the restore option, the rogue DLL was re-introduced. At least within the registry, and probably in your user appdata folder too.

The ihkpbqo.dll was removed before by Combofix and by MBAM too.

I need to know if anyone has done any websurfing in the past couple of days ? (I mean other than this forum or the sites I had you get tools from).

I need for you'all to put a quarantine on this pc (NO websurfing, no online shopping. No banking.)

Not even reading online news, weather, etc.

Just only go to this forum and the websites I guide you to.

You should have DDS utility on your Desktop from before.

Then RIGHT click dds.scr and select Run as Administrator to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

NEXT:

Save and close any work documents, close any apps that you started.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a QUICK Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of DDS.txt

Attach.txt

and the latest MBAM scan log

There will be much more to do since now we are almost back to the Day 1 problem-status. :wacko:

Link to post
Share on other sites

Sorry for the late reply, but here is the latest as requested above. Thanks!

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.19088

Run by Carl at 21:31:52 on 2012-05-04

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3034.1474 [GMT -4:00]

.

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}

SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\QUALCOMM\QDLService\QDLService.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\ThpSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\TOSHIBA\TECO\TecoService.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\ltmoh\ltmoh.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\TECO\TEco.exe

C:\Program Files\TOSHIBA WWAN Manager\bin\gbxApp.exe

C:\Windows\System32\ThpSrv.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\TOSHIBA\TANU\TANU.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\pdf24\pdf24.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Windows\ehome\ehtray.exe

C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Windows\system32\igfxext.exe

C:\program files\toshiba wwan manager\bin\gbx4log.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

uInternet Settings,ProxyOverride = *.local

BHO: {17dd4ccf-48ac-481f-a8a9-8b65774437f7} - c:\windows\system32\audiodev32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: 96f8244b: {32d19711-e290-8fdc-42b4-effd46023ab9} - c:\programdata\audiodev32.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [Octoshape Streaming Services] "c:\users\carl\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Adobe] rundll32.exe ",DllRegisterServer

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe

mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r

mRun: [coreworks] "c:\program files\toshiba wwan manager\bin\gbxapp.exe" runatstartup

mRun: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

mRun: [ThpSrv] c:\windows\system32\thpsrv /logon

mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"

mRun: [cfFncEnabler.exe] "c:\program files\toshiba\configfree\cfFncEnabler.exe"

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [TANU] %ProgramFiles%\TOSHIBA\TANU\TANU.exe

mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosSENotify.exe

mRun: [PCMAgent] "c:\program files\cyberlink\powercinema for toshiba\PCMAgent.exe"

mRun: [CLMLServer] "c:\program files\cyberlink\powercinema for toshiba\kernel\clml\CLMLSvc.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [PDFPrint] c:\program files\pdf24\pdf24.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://webmail.worldbank.org/dwa85W.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://webmail.worldbank.org/dwa8W.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.worldbank.org/dwa7W.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2CE2B1B3-C808-42AE-BE4D-50F976A14FCF} : NameServer = 172.24.24.10

TCP: Interfaces\{96FB2830-CE1A-44CA-AC71-EBDAABF3DC2D} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~3\goec62~1.dll, c:\programdata\audiodev32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-3-25 30272]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 13336]

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-4-1 36000]

R1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-6-1 14856]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-4-1 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-4-1 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-4-1 74640]

R2 camsvc;TOSHIBA Web Camera Service;c:\program files\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-7-22 20544]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]

R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2009-3-19 345336]

R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-7-22 45056]

R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-7-22 38400]

R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-2-19 57344]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]

R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-24 176128]

R2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 73728]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]

R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-7-22 22272]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterTSH.sys [2009-3-19 5248]

R3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetTSH.sys [2009-3-19 115200]

R3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserTSH.sys [2009-3-19 104448]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]

S2 THREADORDER32;Thread Ordering Server ;c:\windows\system32\pnpxassoc32.exe --> c:\windows\system32\PNPXAssoc32.exe [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 257696]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-1-29 30576]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-05-05 01:14:05 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e33b9d23-a3f0-47d7-a3e9-18bd83c742c2}\mpengine.dll

2012-05-01 17:27:48 -------- d-sh--w- C:\$RECYCLE(0).BIN

2012-05-01 17:12:44 -------- d-----w- C:\ComboFix

2012-05-01 13:58:07 -------- d-----w- C:\_OTL

2012-04-29 15:08:21 -------- d-----w- C:\ARK

2012-04-24 19:27:25 -------- d-----w- c:\program files\Microsoft LifeCam

2012-04-24 19:27:14 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2012-04-24 19:27:14 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2012-04-15 13:14:27 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-14 20:01:14 -------- d-----w- c:\program files\Research In Motion Limited

.

==================== Find3M ====================

.

2012-05-05 01:29:03 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-14 16:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX

.

============= FINISH: 21:32:23.91 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 7/22/2009 6:37:14 PM

System Uptime: 5/4/2012 5:24:45 PM (4 hours ago)

.

Motherboard: TOSHIBA | | To be filled by O.E.M.

Processor: Intel® Core2 Duo CPU T6500 @ 2.10GHz | CPU 1 | 1200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 138 GiB total, 79.675 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP769: 5/3/2012 7:53:15 AM - Windows Update

RP770: 5/4/2012 3:00:13 AM - Scheduled Checkpoint

RP771: 5/4/2012 9:13:09 PM - Windows Update

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

ALPS Touch Pad Driver

Amazon Links

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Artweaver 1.0

Avira Free Antivirus

BlackBerry App World Browser Plugin

BlackBerry Desktop Software 6.1

BlackBerry Device Software v7.0.0 for the BlackBerry 9900 smartphone

Bonjour

Compatibility Pack for the 2007 Office system

CyberLink PowerCinema for TOSHIBA

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

Direct DiscRecorder

DJ_AIO_05_F4400_Software_Min

Dolby Control Center

DVD MovieFactory for TOSHIBA

ERUNT 1.1j

Exstora Pro 2.5

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Deskjet F4400 Printer Driver 14.0 Rel. 5

Ilwis

Intel PROSet Wireless

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless WiFi Software

Intel® Matrix Storage Manager

iTunes

Java Auto Updater

Java 6 Update 29

LightScribe 1.4.124.1

Malwarebytes Anti-Malware version 1.61.0.1400

Mathe Klasse 11-13

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Corporation

Microsoft LifeCam

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Student 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Works

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Netzero Internet Access Installer

Norton Internet Security

Octoshape Streaming Services

PDF24 Creator 4.1.2

Picasa 3

PlayReady PC runtime

Qualcomm Gobi Single Installer Package for Toshiba

QuickBooks Financial Center

QuickTime

Realtek 8136 8168 8169 Ethernet Driver

Realtek High Definition Audio Driver

Recuva

RICOH R5U230 Media Driver ver.2.02.02.01

Scan

Secunia PSI (2.0.0.4003)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition

Skype web features

Skype™ 5.8

Spelling Dictionaries Support For Adobe Reader 9

Toolbox

TOSHIBA Agreement Notification Utility

Toshiba Application and Driver Installer

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Disc Creator

TOSHIBA DVD PLAYER

TOSHIBA eco Utility

TOSHIBA Extended Tiles for Windows Mobility Center

TOSHIBA Face Recognition

TOSHIBA Hardware Setup

TOSHIBA HDD Protection

TOSHIBA HDD/SSD Alert

TOSHIBA Internal Modem Region Select Utility

Toshiba Quality Application

TOSHIBA Recovery Disc Creator

Toshiba Registration

Toshiba Resources Page

TOSHIBA SD Memory Utilities

TOSHIBA Software Modem

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

TOSHIBA Supervisor Password

TOSHIBA USB Sleep and Charge Utility

TOSHIBA Value Added Package

TOSHIBA Web Camera Application

TOSHIBA WWAN Manager

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

VoiceOver Kit

WildTangent Games

.

==== Event Viewer Messages From Past Week ========

.

5/3/2012 7:51:08 AM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.125.655.0 Loading engine version: 1.1.8304.0

5/3/2012 7:50:24 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.

5/3/2012 7:49:45 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Center Scheduler Service service to connect.

5/3/2012 7:49:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service ehSched with arguments "-Service" in order to run the server: {4B635ECB-0887-4015-8CA6-D621362F98D1}

5/1/2012 9:58:09 AM, Error: Service Control Manager [7034] - The TOSHIBA HDD Protection service terminated unexpectedly. It has done this 1 time(s).

5/1/2012 1:15:26 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

4/29/2012 11:26:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

4/29/2012 11:26:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

4/29/2012 11:26:12 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr DfsC NetBIOS netbt nsiproxy PMCF PSched RasAcd rdbss Smb spldr ssmdrv tdx Wanarpv6

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

4/29/2012 11:26:12 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

4/29/2012 11:25:53 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

4/29/2012 11:25:53 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

4/29/2012 11:25:53 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

4/29/2012 11:25:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

4/29/2012 11:25:43 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

4/29/2012 11:24:47 AM, Error: EventLog [6008] - The previous system shutdown at 11:22:33 AM on 4/29/2012 was unexpected.

4/29/2012 11:10:29 AM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

4/28/2012 4:32:37 PM, Error: Service Control Manager [7022] - The MSCamSvc service hung on starting.

4/28/2012 3:29:10 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Carl-notebook\Carl SID (S-1-5-21-2291974740-4036391792-2128109495-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

.

==== End Of File ===========================

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.05.02

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.19088

Carl :: CARL-NOTEBOOK [administrator]

5/4/2012 9:38:43 PM

mbam-log-2012-05-04 (21-38-43).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202855

Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Users\Carl\AppData\Roaming\Avira\Avira\hqsysrld.dll (Trojan.Happili.XGen) -> Quarantined and deleted successfully.

C:\Users\Carl\AppData\Local\Temp\nsv6FD5.tmp\ihkpbqo.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Users\Carl\AppData\Local\Temp\nsv6FD5.tmp\xyqwy.dll (Trojan.Happili) -> Quarantined and deleted successfully.

C:\Users\Carl\AppData\Local\Temp\nsxE2A7.tmp\arroibs.dll (Trojan.Happili.XGen) -> Quarantined and deleted successfully.

C:\Users\Carl\AppData\Local\Temp\nsxE2A7.tmp\hqsysrld.dll (Trojan.Happili.XGen) -> Quarantined and deleted successfully.

(end)

Edited by Maurice Naggar
emphasis added
Link to post
Share on other sites

We need more follow-ups after this. MBAM found trojans in the last run. Not a good sign if it happens again.

Do the following next:

Download TFC by OldTimer and SAVE it to your desktop

  • Double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run
    As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few
    seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete
    clean.

Step 2

Save and close any work documents, close any apps that you started.

Turn OFF Avira antivirus.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a FULL Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When done, turn ON Avira antivirus.

Reply with copy of the latest MBAM scan log.

Give me an idea of how the system is?

Tell me if anyone has been surfing the web in the past 2/3 days :excl:

iirc, I remember I requested you'all quarantine this system and do no websurfing !

Link to post
Share on other sites

Thanks for the immediate response and guidance. As recommended, in the last few days NO internet activity or any other program activity has been conducted on the computer, except malwarebytes. In fact the computer was completely sitched off for 1 day.

The last scan with MBAM showed no suspicious programs found. Please see log below. Thanks!

alwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.05.06

Windows Vista Service Pack 1 x86 NTFS

Internet Explorer 8.0.6001.19088

Carl :: CARL-NOTEBOOK [administrator]

5/5/2012 10:52:34 AM

mbam-log-2012-05-05 (10-52-34).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 341932

Time elapsed: 1 hour(s), 32 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

I am glad that the last MBAM scan detected nothing. That is a relief. But we still need more checks.

Step 1

Temporarily turn OFF your Avira antivirus.

Right-click the Avira icon in your taskbar tray area & UN-tick Real-time protection enable

Step 2

Next, if you have an earlier copy of RogueKiller, delete it.

  • Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
    >> from here <<
  • Quit all programs that you may have started.
  • For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
    For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on Scan button at upper right of screen.
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop

Step 2

You have RKILL from before.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Step 3

Please close any of your open windows/programs and exit; saving any open work you have.

I'd like to have you do a special run of OTL to generate some searches & a new log-report.

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %ALLUSERSPROFILE%\Application Data\*.dll /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %APPDATA%\*.dll /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    themeui.dll
    beep.sys
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on Run Scan.
  • The scan won't take long. But in any event have infinite patience:excl:

When all completed, RE-Enable your Avira

Right-click the Avira icon in your taskbar tray area & Check Real-time protection enable

Please copy (Edit->Select All, Edit->Copy) & Paste into reply the contents of RKReport.txt

and OTL.txt

Link to post
Share on other sites

Thanks for your help! Please see below the two l=reports, asrequested. Thanks!

OTL logfile created on: 5/5/2012 9:18:01 PM - Run 2

OTL by OldTimer - Version 3.2.42.2 Folder = C:\Users\Carl\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.19088)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.89 Gb Available Physical Memory | 63.95% Memory free

6.12 Gb Paging File | 4.87 Gb Available in Paging File | 79.57% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 138.28 Gb Total Space | 79.49 Gb Free Space | 57.48% Space Free | Partition Type: NTFS

Computer Name: CARL-NOTEBOOK | User Name: Carl | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/30 15:17:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe

PRC - [2012/01/31 08:57:32 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

PRC - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe

PRC - [2012/01/31 08:56:50 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

PRC - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe

PRC - [2011/12/16 13:54:22 | 000,220,744 | ---- | M] (Geek Software GmbH) -- C:\Program Files\pdf24\pdf24.exe

PRC - [2011/10/14 02:01:50 | 000,994,360 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe

PRC - [2011/10/14 02:01:48 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe

PRC - [2011/10/14 02:01:46 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe

PRC - [2011/02/18 11:47:12 | 000,079,192 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

PRC - [2010/05/20 15:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe

PRC - [2009/06/08 22:19:54 | 000,117,224 | ---- | M] (Toshiba) -- C:\Program Files\TOSHIBA WWAN Manager\bin\gbx4log.exe

PRC - [2009/06/08 22:19:52 | 000,637,416 | ---- | M] (Toshiba) -- C:\Program Files\TOSHIBA WWAN Manager\bin\gbxApp.exe

PRC - [2009/05/13 01:26:42 | 000,299,008 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

PRC - [2009/04/24 14:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TecoService.exe

PRC - [2009/04/24 14:40:08 | 001,323,008 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TEco.exe

PRC - [2009/04/23 23:01:24 | 001,011,712 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

PRC - [2009/04/16 21:42:58 | 000,020,544 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe

PRC - [2009/03/30 19:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe

PRC - [2009/03/28 15:30:44 | 000,263,560 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TANU\TANU.exe

PRC - [2009/03/23 13:50:40 | 000,729,088 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

PRC - [2009/03/19 13:20:12 | 000,345,336 | ---- | M] (QUALCOMM, Inc.) -- C:\Qualcomm\QDLService\QDLService.exe

PRC - [2009/03/17 14:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

PRC - [2009/03/10 21:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

PRC - [2009/03/10 21:50:36 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

PRC - [2009/03/06 21:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

PRC - [2009/03/06 21:29:04 | 000,468,320 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

PRC - [2009/02/19 17:52:38 | 000,057,344 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe

PRC - [2009/02/16 20:09:44 | 000,196,608 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe

PRC - [2009/02/16 20:09:36 | 000,143,360 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe

PRC - [2009/02/01 01:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\hidfind.exe

PRC - [2008/12/18 17:34:24 | 000,448,376 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

PRC - [2008/10/16 20:26:20 | 000,860,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe

PRC - [2008/10/16 19:54:34 | 000,466,944 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

PRC - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\ThpSrv.exe

PRC - [2008/01/20 22:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe

PRC - [2007/01/09 17:23:04 | 000,191,552 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\ltmoh.exe

PRC - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe

========== Modules (No Company Name) ==========

MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

MOD - [2009/06/08 22:20:10 | 000,502,248 | ---- | M] () -- c:\Program Files\TOSHIBA WWAN Manager\bin\OsifUtils.dll

MOD - [2009/06/08 22:20:04 | 000,276,968 | ---- | M] () -- c:\Program Files\TOSHIBA WWAN Manager\bin\mdvauthapi32.dll

MOD - [2009/06/08 22:19:58 | 002,824,680 | ---- | M] () -- c:\Program Files\TOSHIBA WWAN Manager\bin\connmgr.dll

MOD - [2009/03/07 16:15:46 | 007,005,496 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll

MOD - [2009/02/16 20:09:46 | 000,868,352 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMediaLibrary.dll

MOD - [2009/02/16 20:09:42 | 000,007,680 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvcPS.dll

MOD - [2009/01/31 01:11:56 | 000,073,728 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll

MOD - [2008/07/14 13:37:00 | 000,095,544 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\TWarnMsg\TWarnMsg.dll

MOD - [2008/01/20 22:24:29 | 000,368,640 | ---- | M] () -- C:\Windows\System32\msjetoledb40.dll

MOD - [2007/12/19 15:12:38 | 000,077,824 | ---- | M] () -- C:\Program Files\TOSHIBA\HDD Protection\NotifyTHP.dll

MOD - [2006/12/01 20:55:42 | 000,009,216 | ---- | M] () -- C:\Program Files\TOSHIBA\TBS\NotifyTBS.dll

MOD - [2006/10/10 14:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll

MOD - [2006/10/07 14:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Windows\system32\PNPXAssoc32.exe -- (THREADORDER32)

SRV - [2012/05/04 21:29:04 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2012/02/29 08:50:48 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2012/01/31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)

SRV - [2012/01/31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)

SRV - [2011/10/14 02:01:50 | 000,994,360 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)

SRV - [2011/10/14 02:01:48 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)

SRV - [2010/05/20 15:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)

SRV - [2009/04/24 14:40:38 | 000,176,128 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)

SRV - [2009/04/16 21:42:58 | 000,020,544 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe -- (camsvc)

SRV - [2009/03/30 19:57:22 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)

SRV - [2009/03/19 13:20:12 | 000,345,336 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\Qualcomm\QDLService\QDLService.exe -- (QDLService)

SRV - [2009/03/17 14:49:04 | 000,073,728 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)

SRV - [2009/03/10 21:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)

SRV - [2009/03/06 21:29:16 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)

SRV - [2009/02/19 17:52:38 | 000,057,344 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe -- (RSELSVC)

SRV - [2008/11/03 19:15:32 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)

SRV - [2008/10/16 20:26:20 | 000,860,160 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)

SRV - [2008/10/16 19:54:34 | 000,466,944 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)

SRV - [2008/08/22 13:26:38 | 000,523,320 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\ThpSrv.exe -- (Thpsrv)

SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)

DRV - [2012/01/31 08:57:31 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)

DRV - [2012/01/31 08:57:31 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)

DRV - [2011/09/16 16:09:17 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)

DRV - [2010/09/01 04:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI)

DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)

DRV - [2010/06/06 23:12:22 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2010/01/29 01:03:58 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nx6000.sys -- (MSHUSBVideo)

DRV - [2009/05/05 02:35:24 | 000,163,328 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)

DRV - [2009/04/23 18:42:44 | 000,014,856 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\PMCF.sys -- (PMCF)

DRV - [2009/04/03 05:37:24 | 000,200,240 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)

DRV - [2009/03/25 20:23:30 | 000,030,272 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\thpdrv.sys -- (Thpdrv)

DRV - [2009/03/19 12:52:14 | 000,115,200 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qcusbnetTSH.sys -- (qcusbnetTSH)

DRV - [2009/03/19 12:52:14 | 000,104,448 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qcusbserTSH.sys -- (qcusbserTSH)

DRV - [2009/03/19 12:52:14 | 000,005,248 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qcfilterTSH.sys -- (qcfilterTSH)

DRV - [2009/03/18 14:44:54 | 000,022,272 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect)

DRV - [2009/02/12 17:43:00 | 000,045,056 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimspe86.sys -- (rimspci)

DRV - [2009/01/27 22:12:14 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\tos_sps32.sys -- (tos_sps32)

DRV - [2009/01/14 14:37:32 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdpe86.sys -- (rixdpcie)

DRV - [2008/11/17 10:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®

DRV - [2008/09/22 09:49:36 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®

DRV - [2007/12/14 14:53:24 | 000,024,200 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)

DRV - [2007/11/09 17:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)

DRV - [2007/09/04 13:30:24 | 000,013,336 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\Thpevm.sys -- (Thpevm)

DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

IE - HKLM\..\SearchScopes,DefaultScope = {76B49697-B060-4BD0-8D47-3D89767A3125}

IE - HKLM\..\SearchScopes\{76B49697-B060-4BD0-8D47-3D89767A3125}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSHB

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = CF 4C DD 17 AC 48 1F 48 A8 A9 8B 65 77 44 37 F7 [binary data]

IE - HKCU\..\SearchScopes,DefaultScope = {76B49697-B060-4BD0-8D47-3D89767A3125}

IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7TSHB_enUS347US347&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\..\SearchScopes\{76B49697-B060-4BD0-8D47-3D89767A3125}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSHB_enUS347US347

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@rim.com/npappworld: C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll ()

FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKCU\Software\MozillaPlugins\@octoshape.com/Octoshape Streaming Services,version=1.0: C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1101262-0-npoctoshape.dll (Octoshape ApS)

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (Reg Error: Value error.) - {17DD4CCF-48AC-481F-A8A9-8B65774437F7} - C:\Windows\system32\audiodev32.dll File not found

O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O2 - BHO: (96f8244b) - {32D19711-E290-8FDC-42B4-EFFD46023AB9} - C:\ProgramData\audiodev32.dll File not found

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)

O4 - HKLM..\Run: [cfFncEnabler.exe] C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe (Toshiba Corporation)

O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe (CyberLink)

O4 - HKLM..\Run: [coreworks] C:\Program Files\TOSHIBA WWAN Manager\bin\gbxapp.exe (Toshiba)

O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)

O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)

O4 - HKLM..\Run: [NDSTray.exe] C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)

O4 - HKLM..\Run: [PCMAgent] C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe (CyberLink Corp.)

O4 - HKLM..\Run: [PDFPrint] C:\Program Files\pdf24\pdf24.exe (Geek Software GmbH)

O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)

O4 - HKLM..\Run: [smartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [smoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TANU] C:\Program Files\TOSHIBA\TANU\TANU.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [ThpSrv] C:\Windows\System32\thpsrv.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)

O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [Adobe] rundll32.exe ",DllRegisterServer File not found

O4 - HKCU..\Run: [Octoshape Streaming Services] C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} https://webmail.worldbank.org/dwa85W.cab (IBM Lotus iNotes 8.5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} https://webmail.worldbank.org/dwa8W.cab (Domino Web Access 8 Control)

O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://webmail.worldbank.org/dwa7W.cab (Domino Web Access 7 Control)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2CE2B1B3-C808-42AE-BE4D-50F976A14FCF}: NameServer = 172.24.24.10

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{96FB2830-CE1A-44CA-AC71-EBDAABF3DC2D}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - File not found

O20 - AppInit_DLLs: (C:\ProgramData\audiodev32.dll) - File not found

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Carl\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Carl\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

SafeBootMin: AppMgmt - Service

SafeBootMin: Base - Driver Group

SafeBootMin: Boot Bus Extender - Driver Group

SafeBootMin: Boot file system - Driver Group

SafeBootMin: File system - Driver Group

SafeBootMin: Filter - Driver Group

SafeBootMin: HelpSvc - Service

SafeBootMin: NTDS - File not found

SafeBootMin: PCI Configuration - Driver Group

SafeBootMin: PNP Filter - Driver Group

SafeBootMin: Primary disk - Driver Group

SafeBootMin: sacsvr - Service

SafeBootMin: SCSI Class - Driver Group

SafeBootMin: System Bus Extender - Driver Group

SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: AppMgmt - Service

SafeBootNet: Base - Driver Group

SafeBootNet: Boot Bus Extender - Driver Group

SafeBootNet: Boot file system - Driver Group

SafeBootNet: File system - Driver Group

SafeBootNet: Filter - Driver Group

SafeBootNet: HelpSvc - Service

SafeBootNet: Messenger - Service

SafeBootNet: NDIS Wrapper - Driver Group

SafeBootNet: NetBIOSGroup - Driver Group

SafeBootNet: NetDDEGroup - Driver Group

SafeBootNet: Network - Driver Group

SafeBootNet: NetworkProvider - Driver Group

SafeBootNet: NTDS - File not found

SafeBootNet: PCI Configuration - Driver Group

SafeBootNet: PNP Filter - Driver Group

SafeBootNet: PNP_TDI - Driver Group

SafeBootNet: Primary disk - Driver Group

SafeBootNet: rdsessmgr - Service

SafeBootNet: sacsvr - Service

SafeBootNet: SCSI Class - Driver Group

SafeBootNet: Streams Drivers - Driver Group

SafeBootNet: System Bus Extender - Driver Group

SafeBootNet: TDI - Driver Group

SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers

SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive

SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive

SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller

SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc

SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard

SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse

SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net

SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient

SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService

SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans

SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters

SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter

SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System

SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive

SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers

SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy

SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers

SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume

SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices

SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)

ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -

ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0

ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack

ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework

ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -

ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx

ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help

ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8

ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools

ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements

ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player

ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access

ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7

ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll

ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings

ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding

ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts

ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1

ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player

ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help

ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface

ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP

ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig

ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.mpegacm - C:\Program Files\Common Files\Ulead Systems\MPEG\MPEGACM.acm (Ulead Systems, Inc.)

Drivers32: msacm.ulmp3acm - C:\Program Files\Common Files\Ulead Systems\MPEG\ulmp3acm.acm (Ulead systems)

Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)

Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/05/05 21:02:56 | 000,000,000 | ---D | C] -- C:\Users\Carl\Desktop\RK_Quarantine

[2012/05/05 09:22:33 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Carl\Desktop\TFC.exe

[2012/05/01 13:27:48 | 000,000,000 | -HSD | C] -- C:\$RECYCLE(0).BIN

[2012/05/01 13:26:02 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/05/01 13:12:44 | 000,000,000 | ---D | C] -- C:\ComboFix

[2012/05/01 13:12:41 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/05/01 09:58:07 | 000,000,000 | ---D | C] -- C:\_OTL

[2012/04/30 15:17:46 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe

[2012/04/30 14:18:25 | 002,074,160 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Carl\Desktop\tdsskiller.exe

[2012/04/29 12:49:56 | 000,000,000 | ---D | C] -- C:\Users\Carl\Desktop\Photos

[2012/04/29 12:49:22 | 000,000,000 | ---D | C] -- C:\Users\Carl\Desktop\Administration

[2012/04/29 12:49:09 | 000,000,000 | ---D | C] -- C:\Users\Carl\Desktop\French

[2012/04/29 11:08:21 | 000,000,000 | ---D | C] -- C:\ARK

[2012/04/29 10:40:11 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/04/29 10:36:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT

[2012/04/29 10:36:06 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2012/04/27 12:10:11 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Carl\Desktop\dds.scr

[2012/04/24 15:35:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft LifeCam

[2012/04/24 15:27:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft LifeCam

[2012/04/24 15:27:14 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_42.dll

[2012/04/24 15:27:14 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll

[2012/04/18 14:23:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

[2012/04/18 14:23:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

[2012/04/15 09:14:27 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[2012/04/14 16:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Research In Motion Limited

[1 C:\Users\Carl\Desktop\*.tmp files -> C:\Users\Carl\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/05 21:02:20 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/05/05 21:02:20 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/05/05 21:02:00 | 001,412,608 | ---- | M] () -- C:\Users\Carl\Desktop\RogueKiller.exe

[2012/05/05 20:56:20 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2012/05/05 20:56:02 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/05/05 20:56:02 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/05/05 20:55:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/05/05 20:55:48 | 3182,612,480 | -HS- | M] () -- C:\hiberfil.sys

[2012/05/05 12:29:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/05/05 11:47:13 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2012/05/05 09:22:37 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\TFC.exe

[2012/05/04 21:29:03 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[2012/05/04 21:29:03 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

[2012/05/03 07:47:03 | 168,347,484 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2012/04/30 15:17:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe

[2012/04/30 14:22:15 | 000,002,613 | ---- | M] () -- C:\Users\Carl\Desktop\Microsoft Word 2010.lnk

[2012/04/30 14:18:32 | 002,074,160 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Carl\Desktop\tdsskiller.exe

[2012/04/30 14:12:12 | 000,304,845 | ---- | M] () -- C:\Users\Carl\Desktop\ListParts.exe

[2012/04/30 14:07:13 | 001,008,141 | ---- | M] () -- C:\Users\Carl\Desktop\rkill.com

[2012/04/29 23:22:07 | 000,047,616 | ---- | M] () -- C:\Users\Carl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/04/29 10:55:30 | 000,000,512 | ---- | M] () -- C:\Users\Carl\Desktop\MBR.dat

[2012/04/29 10:36:07 | 000,000,744 | ---- | M] () -- C:\Users\Carl\Desktop\NTREGOPT.lnk

[2012/04/29 10:36:07 | 000,000,725 | ---- | M] () -- C:\Users\Carl\Desktop\ERUNT.lnk

[2012/04/27 12:10:13 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Carl\Desktop\dds.scr

[2012/04/24 15:35:22 | 000,001,921 | ---- | M] () -- C:\Users\Public\Desktop\Microsoft LifeCam.lnk

[2012/04/20 11:38:17 | 000,002,571 | ---- | M] () -- C:\Users\Carl\Desktop\Microsoft Excel 2010.lnk

[2012/04/18 14:23:03 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk

[2012/04/10 13:50:22 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[1 C:\Users\Carl\Desktop\*.tmp files -> C:\Users\Carl\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/05 21:01:56 | 001,412,608 | ---- | C] () -- C:\Users\Carl\Desktop\RogueKiller.exe

[2012/04/30 14:12:10 | 000,304,845 | ---- | C] () -- C:\Users\Carl\Desktop\ListParts.exe

[2012/04/30 14:07:11 | 001,008,141 | ---- | C] () -- C:\Users\Carl\Desktop\rkill.com

[2012/04/29 11:29:56 | 3182,612,480 | -HS- | C] () -- C:\hiberfil.sys

[2012/04/29 10:55:30 | 000,000,512 | ---- | C] () -- C:\Users\Carl\Desktop\MBR.dat

[2012/04/29 10:36:07 | 000,000,744 | ---- | C] () -- C:\Users\Carl\Desktop\NTREGOPT.lnk

[2012/04/29 10:36:07 | 000,000,725 | ---- | C] () -- C:\Users\Carl\Desktop\ERUNT.lnk

[2012/04/24 15:35:22 | 000,001,921 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft LifeCam.lnk

[2012/04/18 14:23:03 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk

[2012/04/15 09:14:28 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2012/01/18 12:51:37 | 000,000,680 | ---- | C] () -- C:\Users\Carl\AppData\Local\d3d9caps.dat

[2012/01/16 22:30:29 | 000,008,823 | ---- | C] () -- C:\Users\Carl\AppData\Local\d1a7ebf0

[2012/01/16 22:30:29 | 000,008,821 | ---- | C] () -- C:\ProgramData\84e2a78c

[2012/01/16 22:30:29 | 000,008,782 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\90570254

[2011/06/12 15:37:25 | 000,000,024 | ---- | C] () -- C:\ProgramData\360b7319

[2010/07/25 09:50:51 | 000,024,064 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\UserTile.png

[2010/06/18 09:27:38 | 000,135,167 | ---- | C] () -- C:\Windows\hpoins37.dat.temp

[2010/06/18 09:27:38 | 000,000,558 | ---- | C] () -- C:\Windows\hpomdl37.dat.temp

[2010/06/15 21:40:51 | 000,134,739 | ---- | C] () -- C:\Windows\hpoins37.dat

[2010/06/15 21:40:51 | 000,000,558 | ---- | C] () -- C:\Windows\hpomdl37.dat

========== Custom Scans ==========

< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %ALLUSERSPROFILE%\Application Data\*.dll /s >

< %APPDATA%\*. >

[2012/01/21 12:03:06 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Adobe

[2011/11/29 19:29:26 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Apple Computer

[2009/11/07 22:40:28 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Artweaver

[2012/04/09 13:20:03 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Avira

[2011/11/06 23:06:09 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Blackberry Desktop

[2009/10/18 21:35:22 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\CyberLink

[2009/11/09 08:19:24 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Exstora

[2012/05/03 11:45:33 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\GetRightToGo

[2009/10/04 15:42:25 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Google

[2009/10/04 15:09:56 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Identities

[2010/07/25 09:49:32 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Intel

[2009/10/04 15:17:31 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Macromedia

[2011/06/19 06:53:56 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Malwarebytes

[2006/11/02 08:37:34 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Media Center Programs

[2012/04/16 10:52:33 | 000,000,000 | --SD | M] -- C:\Users\Carl\AppData\Roaming\Microsoft

[2011/05/14 11:49:42 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Mozilla

[2011/05/14 11:49:41 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Octoshape

[2009/10/04 19:23:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\OpenOffice.org

[2010/07/25 09:50:51 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\PeerNetworking

[2012/05/03 11:45:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\PowerCinema

[2011/11/01 22:12:50 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Research In Motion

[2012/05/03 11:45:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Skype

[2012/04/18 08:49:54 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\skypePM

[2012/03/01 22:42:30 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TOSHIBA

[2011/07/31 17:19:36 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TP

[2009/10/04 15:08:45 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WinBatch

< %APPDATA%\*.exe /s >

[2011/10/30 09:56:03 | 000,413,696 | R--- | M] (Acresso Software Inc.) -- C:\Users\Carl\AppData\Roaming\Microsoft\Installer\{5BF4B3ED-682C-4363-95D6-9F741D914B6B}\BlackBerry.exe

[2009/01/08 09:44:06 | 000,070,936 | ---- | M] (Octoshape ApS) -- C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

< %APPDATA%\*.dll /s >

[2011/05/14 11:49:42 | 000,071,960 | ---- | M] (Octoshape ApS) -- C:\Users\Carl\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll

[2011/01/27 09:38:35 | 000,124,184 | ---- | M] (Octoshape ApS) -- C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1101262-0-apoctoshape.dll

[2011/01/27 09:38:36 | 000,436,224 | ---- | M] (Octoshape ApS) -- C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1101262-0-libOctoshapeClient.dll

[2011/01/27 09:38:36 | 000,071,960 | ---- | M] (Octoshape ApS) -- C:\Users\Carl\AppData\Roaming\Octoshape\Octoshape Streaming Services\sua-1101262-0-npoctoshape.dll

< %SYSTEMDRIVE%\*.exe >

[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe

< MD5 for: AGP440.SYS >

[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys

[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys

[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys

[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

[2008/03/24 23:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_3e1ecd89\AGP440.sys

[2008/03/24 23:22:22 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=2D77788D0B7FE269044F58C86AE099CE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.22142_none_ba734aead7ed1bb6\AGP440.sys

[2008/03/25 23:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_e4087235\AGP440.sys

[2008/03/25 23:38:23 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=ED91751834103DB2A74470CD763A49FE -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20800_none_b8b64d46daa7e57a\AGP440.sys

[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >

[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys

[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys

[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

[2008/06/02 23:29:54 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B -- C:\Windows\System32\drivers\atapi.sys

[2008/06/02 23:29:54 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7f3e4ed9\atapi.sys

[2008/06/02 23:29:54 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_dd6376773aedb5e4\atapi.sys

[2008/06/02 23:27:21 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b7393fc6\atapi.sys

[2008/06/02 23:27:21 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_dbb74a7b3d9afbc1\atapi.sys

< MD5 for: BEEP.SYS >

[2008/01/20 22:23:44 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=67E506B75BD5326A3EC7B70BD014DFB6 -- C:\Windows\System32\drivers\beep.sys

[2008/01/20 22:23:44 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=67E506B75BD5326A3EC7B70BD014DFB6 -- C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.0.6001.18000_none_c420a153079d485b\beep.sys

< MD5 for: CNGAUDIT.DLL >

[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll

[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >

[2009/02/11 20:26:18 | 000,407,576 | ---- | M] (Intel Corporation) MD5=1ADAA4F16073FD0C7270F451FD024E97 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver64\IaStor.sys

[2009/02/11 20:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys

[2009/02/11 20:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Windows\System32\drivers\iaStor.sys

[2009/02/11 20:11:50 | 000,329,752 | ---- | M] (Intel Corporation) MD5=71ECC07BC7C5E24C3DD01D8A29A24054 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_ea118ff5\iaStor.sys

< MD5 for: IASTORV.SYS >

[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys

[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys

[2008/01/20 22:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys

[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >

[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

[2008/01/20 22:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll

[2008/01/20 22:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >

[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys

[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys

[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >

[2008/01/20 22:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll

[2008/01/20 22:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll

[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< MD5 for: THEMEUI.DLL >

[2009/04/11 02:28:24 | 000,615,424 | ---- | M] (Microsoft Corporation) MD5=4CF66D8014ECB3BF517E38C5B90AAC74 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-themeui_31bf3856ad364e35_6.0.6002.18005_none_86ea0f7f18a2f487\themeui.dll

[2008/01/20 22:23:50 | 000,615,424 | ---- | M] (Microsoft Corporation) MD5=56BA1BD7176DBBFBD037275819DA4AE3 -- C:\Windows\System32\themeui.dll

[2008/01/20 22:23:50 | 000,615,424 | ---- | M] (Microsoft Corporation) MD5=56BA1BD7176DBBFBD037275819DA4AE3 -- C:\Windows\winsxs\x86_microsoft-windows-themeui_31bf3856ad364e35_6.0.6001.18000_none_84fe96731b81293b\themeui.dll

< MD5 for: USERINIT.EXE >

[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe

[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV

[2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV

[2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV

[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV

[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< >

< End of report >

----

RogueKiller V7.4.3 [05/04/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version

Started in : Normal mode

User: Carl [Admin rights]

Mode: Scan -- Date: 05/05/2012 21:06:09

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{2CE2B1B3-C808-42AE-BE4D-50F976A14FCF} : NameServer (172.24.24.10) -> FOUND

[DNS] HKLM\[...]\ControlSet003\Parameters\Interfaces\{2CE2B1B3-C808-42AE-BE4D-50F976A14FCF} : NameServer (172.24.24.10) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[APPINIT_DLL] HKLM\[...]\Windows : AppInit_DLLs (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL, C:\ProgramData\audiodev32.dll) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[75] : NtCreateSection @ 0x82450689 -> HOOKED (Unknown @ 0x8ED27686)

SSDT[276] : NtRequestWaitReplyPort @ 0x82434415 -> HOOKED (Unknown @ 0x8ED27690)

SSDT[289] : NtSetContextThread @ 0x8249C233 -> HOOKED (Unknown @ 0x8ED2768B)

SSDT[314] : NtSetSecurityObject @ 0x823E0773 -> HOOKED (Unknown @ 0x8ED27695)

SSDT[332] : NtSystemDebugControl @ 0x82404E60 -> HOOKED (Unknown @ 0x8ED2769A)

SSDT[334] : NtTerminateProcess @ 0x823EA2F0 -> HOOKED (Unknown @ 0x8ED27627)

S_SSDT[573] : Unknown -> HOOKED (Unknown @ 0x8ED276AE)

S_SSDT[576] : Unknown -> HOOKED (Unknown @ 0x8ED276B3)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK1655GSX +++++

--- User ---

[MBR] 4ed447942f09798b9f8664d4d8357235

[bSP] d3da0d1885eb30685d47f637ac471de0 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 141597 Mo

2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 293064704 | Size: 9529 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

Turn off your Avira a-av so that it does not interfere.

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Windows 7 or Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in between the **** stars lines **** below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    *****************************************************************
    :OTL
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) - File not found
    O20 - AppInit_DLLs: (C:\ProgramData\audiodev32.dll) - File not found
    SRV - File not found [Auto | Stopped] -- C:\Windows\system32\PNPXAssoc32.exe -- (THREADORDER32)
    :Commands
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    *****************************************************************
  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Link to post
Share on other sites

Thanksfor your help and assistance. This is the following log from OTL. Thanks!

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\ProgramData\audiodev32.dll deleted successfully.

Service THREADORDER32 stopped successfully!

Service THREADORDER32 deleted successfully!

File C:\Windows\system32\PNPXAssoc32.exe not found.

========== COMMANDS ==========

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.42.2 log created on 05062012_213415

Link to post
Share on other sites

I'd like for you to do an online scan at F-Secure

First, turn off Avira so that it does not interfere.

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.

Follow the directions in the F-Secure page for proper Installation.

You may receive an alert on the address bar at this point to install the ActiveX control.

Click on that alert and then click "Install ActiveX component".

Read the license agreement and click "Accept".

Click "Custom Scan" and be sure the following are checked:

  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.

For each item found, Select "Disinfect" and click "Next".

When done, click the "Show Report" button, then copy and paste the entire report into your next reply

Step 2

Delete any previous copy of aswMBR.exe

Download aswMBR.exe ( 4.8mb ) to your desktop.

Double click the aswMBR.exe to run it Click the "Scan" button to start scan

aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

Step 3

Re-enable Avira.

In addition to the F-Secure scan report& the aswMBR log, I need to know if the web-search redirect problem is still an issue?

Link to post
Share on other sites

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-05-09 06:49:26

-----------------------------

06:49:26.677 OS Version: Windows 6.0.6001 Service Pack 1

06:49:26.677 Number of processors: 2 586 0x170A

06:49:26.678 ComputerName: CARL-NOTEBOOK UserName: Carl

06:49:27.963 Initialize success

06:49:38.750 AVAST engine defs: 12050900

06:49:50.069 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

06:49:50.072 Disk 0 Vendor: TOSHIBA_ FG01 Size: 152627MB BusType: 3

06:49:50.100 Disk 0 MBR read successfully

06:49:50.103 Disk 0 MBR scan

06:49:50.121 Disk 0 Windows VISTA default MBR code

06:49:50.132 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

06:49:50.159 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 141597 MB offset 3074048

06:49:50.263 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 9529 MB offset 293064704

06:49:50.307 Disk 0 scanning sectors +312580096

06:49:50.421 Disk 0 scanning C:\Windows\system32\drivers

06:50:15.809 Service scanning

06:51:00.475 Modules scanning

06:51:12.057 Disk 0 trace - called modules:

06:51:12.143 ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll acpi.sys rassstp.sys dxgkrnl.sys igdkmd32.sys watchdog.sys tcpip.sys NETIO.SYS intelppm.sys ndis.sys NETw5v32.sys usbhub.sys RTKVHDA.sys HDAudBus.sys USBPORT.SYS usbuhci.sys iaStor.sys

06:51:12.151 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866dd820]

06:51:12.158 3 CLASSPNP.SYS[8a713745] -> nt!IofCallDriver -> \Device\THPDRV1[0x865da8e8]

06:51:12.165 5 thpdrv.sys[8a9a2961] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x854c4028]

06:51:13.446 AVAST engine scan C:\Windows

06:51:15.846 AVAST engine scan C:\Windows\system32

06:55:13.447 AVAST engine scan C:\Windows\system32\drivers

06:55:29.360 AVAST engine scan C:\Users\Carl

06:56:01.933 Disk 0 MBR has been saved successfully to "C:\Users\Carl\Desktop\MBR.dat"

06:56:01.941 The log file has been saved successfully to "C:\Users\Carl\Desktop\aswMBR.txt"

Thanks for your help. Please findbelow the latest logs from scanning. THANKS!

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

35 malware found

TrackingCookie.Questionmarket (spyware)

  • System (Disinfected)

TrackingCookie.Adinterax (spyware)

  • System (Disinfected)

TrackingCookie.Research-int (spyware)

  • System (Disinfected)

TrackingCookie.2o7 (spyware)

  • System (Disinfected)

TrackingCookie.Advertising (spyware)

  • System (Disinfected)

TrackingCookie.Atdmt (spyware)

  • System (Disinfected)

TrackingCookie.Adtech (spyware)

  • System (Disinfected)

TrackingCookie.Adform (spyware)

  • System (Disinfected)

TrackingCookie.Doubleclick (spyware)

  • System (Disinfected)

TrackingCookie.Revsci (spyware)

  • System (Disinfected)

TrackingCookie.WebTrendsLive (spyware)

  • System (Disinfected)

TrackingCookie.Zanox (spyware)

  • System (Disinfected)

TrackingCookie.Fastclick (spyware)

  • System (Disinfected)

TrackingCookie.Mookie (spyware)

  • System (Disinfected)

TrackingCookie.Adbrite (spyware)

  • System (Disinfected)

TrackingCookie.Xiti (spyware)

  • System (Disinfected)

TrackingCookie.Webtrends (spyware)

  • System (Disinfected)

TrackingCookie.Mediaplex (spyware)

  • System (Disinfected)

TrackingCookie.Liveperson (spyware)

  • System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

  • System (Disinfected)

TrackingCookie.Statcounter (spyware)

  • System (Disinfected)

TrackingCookie.Atwola (spyware)

  • System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

  • System (Disinfected)

Gen:Variant.Kazy.66734 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\46b18412.qua (Renamed)

Trojan.Generic.KDV.588090 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\49e5ab03.qua (Renamed)

Gen:Variant.Barys.495 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\422caa3e.qua (Renamed)

Trojan.Generic.KD.603819 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4a7b9662.qua (Renamed)

Trojan.Generic.KDV.601124 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\3702bd98.qua (Renamed)

Trojan.Generic.KDV.601610 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\4c5598fe.qua (Renamed)

Trojan.Generic.KDV.601124 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\54c5b753.qua (Renamed)

Gen:Variant.FAkeAlert.105 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5116e30c.qua (Renamed)

Java.Exploit.CVE-2011-3544.E (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\657ef65a.qua (Renamed)

Gen:Variant.Kazy.65097 (virus)

  • C:\ProgramData\Avira\AntiVir Desktop\INFECTED\5b4191ab.qua (Renamed)

Trojan.Tracur.I (virus)

  • C:\$RECYCLE(0).BIN\S-1-5-21-2291974740-4036391792-2128109495-1000\$R25FJS1.zip\Qoobox\Quarantine\C\Users\Carl\AppData\Local\Google\Adobe\ihkpbqo.dll.vir (Not cleaned)

Trojan.Tracur.I (virus)

  • C:\$RECYCLE(0).BIN\S-1-5-21-2291974740-4036391792-2128109495-1000\$R25FJS1.zip (Renamed)

Statistics

Scanned:

  • Files: 493680
  • System: 4288
  • Not scanned: 96

Actions:

  • Disinfected: 23
  • Renamed: 11
  • Deleted: 0
  • Not cleaned: 1
  • Submitted: 0

Files not scanned:

  • C:\HIBERFIL.SYS
  • C:\PAGEFILE.SYS
  • C:\WINDOWS\SYSTEM32\7B296FB0-376B-497E-B012-9C450E1B7327-2P-0.C7483456-A289-439D-8115-601632D005A0
  • C:\WINDOWS\SYSTEM32\7B296FB0-376B-497E-B012-9C450E1B7327-2P-1.C7483456-A289-439D-8115-601632D005A0
  • C:\WINDOWS\TEMP\TMP00000070FB7886F2D367C1DA
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-SYSTEM.ETL
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTDIAGLOG.ETL
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-SECURITY.ETL
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTMSMPPSSESSION.ETL
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTMUROC SYSTEM TRACE.ETL
  • C:\WINDOWS\SYSTEM32\LOGFILES\WMI\RTBACKUP\ETWRTEVENTLOG-APPLICATION.ETL
  • C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
  • C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
  • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\SAM
  • C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
  • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
  • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
  • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG1
  • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG2
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
  • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
  • C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
  • C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
  • C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
  • C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT
  • C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT.LOG1
  • C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\NTUSER.DAT.LOG2
  • C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\MPCMDRUN-83-421CFC91-A93E-42AB-A35C-F06F127FCC44.LOCK
  • C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT
  • C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT.LOG1
  • C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\NTUSER.DAT.LOG2
  • C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\LASTALIVE0.DAT
  • C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\LASTALIVE1.DAT
  • C:\USERS\CARL\NTUSER.DAT
  • C:\USERS\CARL\NTUSER.DAT.LOG1
  • C:\USERS\CARL\NTUSER.DAT.LOG2
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML1A86.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML2F10.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML3357.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML4287.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML4EC9.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML511E.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML7EE0.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FML79B1.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FMLE72E.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\FMLF44E.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\JETE54F.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF222E.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF4ACF.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF6723.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF6A8C.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF78A1.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF7FF1.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF96DF.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DF9D9F.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\~DFBC9F.TMP
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\LOW\HSPERFDATA_CARL\5908
  • C:\USERS\CARL\APPDATA\LOCAL\TEMP\HSPERFDATA_CARL\2684
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{DC353565-814C-4D96-8706-F6665457521D}
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG1
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG2
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\INTERNET EXPLORER\RECOVERY\ACTIVE\{1F7FBBFB-997E-11E1-BA41-00A0C6000000}.DAT
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\INTERNET EXPLORER\RECOVERY\ACTIVE\{663B735A-997D-11E1-BA41-00A0C6000000}.DAT
  • C:\USERS\CARL\APPDATA\LOCAL\MICROSOFT\INTERNET EXPLORER\RECOVERY\ACTIVE\RECOVERYSTORE.{4627048D-997D-11E1-BA41-00A0C6000000}.DAT
  • C:\SYSTEM VOLUME INFORMATION\{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{30EC79C2-9716-11E1-A6E7-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{94DE5636-96B4-11E1-BC89-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{AA69499B-9515-11E1-A4BC-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{4251E915-97E3-11E1-A2D8-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{AA6949CC-9515-11E1-A4BC-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\SYSTEM VOLUME INFORMATION\{AA6949EE-9515-11E1-A4BC-00A0C6000000}{3808876B-C176-4E48-B7AE-04046E6CC752}
  • C:\USERS\CARL\APPDATA\LOCAL\GOOGLE\ADOBE\XYQWY.DLL
  • C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\MSS.LOG
  • C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\MSSTMP.LOG
  • C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\TMP.EDB
  • C:\PROGRAMDATA\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\WINDOWS.EDB
  • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\9C4C8EE79C6A91A607D1DF6B84468CE2_5E3292AE-FC16-4937-9C67-F7234A036AF8
  • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\AB39F3AC96F5BA9C9939D4E199E0DBE3_5E3292AE-FC16-4937-9C67-F7234A036AF8
  • C:\PROGRAMDATA\AVIRA\ANTIVIR DESKTOP\TEMP\AVGUARD1.TMP
  • C:\BOOT\BCD
  • C:\BOOT\BCD.LOG

Options

Scanning engines:

Scanning options:

  • Scan all files
  • Scan inside archives
  • Use advanced heuristics

----

Link to post
Share on other sites

The F-Secure scan found & removed some tracking cookies, and then mostly stuff already in quarantine by Avira.

I'd like a different scan, and then you need to tell me "How the system is doing"

1st, delete temporary files:

Download TFC by OldTimer to your desktop

  • Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • IF prompted to Reboot, reply "Yes".

Temporarily disable (turn off) your antivirus so that it does not interfere.

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Re-Enable your antivirus program.

Post copy of latest log from DrWeb

and tell me, How is the system now :excl:

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks for your continious support. The situation seems to however still be challenging:

The DR Web scan run successfully (5 hours), but identified 8 infected files on the computer. They were moved into quarantine. Difficulties came up when trying to save the log. When clicking save report, the computer crashed (blue screen) and forcefully restarted. I initiated a second scan and again the same difficulties occured. The log, which I found in the DR Web folder is extremely long (maybe too long to be posted here).

Shall we run another scan? Looking forward to your advice.

-----------------------------------------------------------------------------

Scan statistics

-----------------------------------------------------------------------------

Scanned: 272550

Infected: 8

Modifications: 0

Suspicious: 0

Adware: 0

Dialers: 0

Jokes: 0

Riskware: 0

Hacktools: 0

Cured: 0

Deleted: 0

Renamed: 0

Moved: 7

Ignored: 0

Scan speed: 71 Kb/s

Scan time: 10:32:35

Link to post
Share on other sites

Hello Effa,

Let's try a different approach.

Do as much as you can of the following

1. Get, save, then run the MS Safety Scanner

Go to the Microsoft Safety Scanner webpage http://go.microsoft.com/fwlink/?LinkId=215204

Download and SAVE to your Desktop or to a unique folder.

Next, turn off your antivirus program so that it does not interfere.

Then run it and have it remove what is detected. This is a mini-applet and is not intended as a substitute for antivirus or security app.

Let it remove what it can. and then proceed forth to next step.

2. get & run the MS Windows Defender Offline tool, which you can put on a USB-flash drive (if your system can boot from USB) or put on CD/DVD

http://windows.micro...efender-offline

IF your system can boot from USB, it is best to put the tool on USB-flah-thumb drive and go that route.

The program will help you and can generate the bootable USB-drive.

IF system cannot boot from USB-device, put on CD.

NOTE: you may have to set your BIOS to boot from the appropos drive (either USB or CD).

The usual function-key to press on the pc (when it is booting/starting up) is F12 function key

but check your manufacturer system manual, or observe your pc as it is restarting.

The startup will flash a quick display as to which key to press for Boot device selection

Link to post
Share on other sites

Thanks for your help!

The first scan has worked well, but still discovered one trojan file, moved to quarantine and deleted. I further re-booted with MS windows defender from DVD. It was a smooth start, what's next?

Looking forward to hearing from you.

Link to post
Share on other sites

Delete the previous copy of aswMBR.exe

Please only do as I list below (there's no need for a virus scan !)

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

and tell me, How is the system now ?

Link to post
Share on other sites

Hi Maurice Naggar,

Below is the aswMBR log. When I pressed run aswMBR, a box popped up, asking to download latest Avast! virus definitions, which I did not do as it wasn't in your previous post. Besides that, I could not see the option to change a-v scan to none, but I could uncheck trace disk IO calls.

The system seems to be rather on the slow side, but so far I did not notice anything abnormal (but then I only updated Avira, opened this forum and ran aswMBR).

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-05-23 09:36:37

-----------------------------

09:36:37.401 OS Version: Windows 6.0.6001 Service Pack 1

09:36:37.401 Number of processors: 2 586 0x170A

09:36:37.402 ComputerName: CARL-NOTEBOOK UserName: Carl

09:36:38.887 Initialize success

09:40:50.529 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

09:40:50.532 Disk 0 Vendor: TOSHIBA_ FG01 Size: 152627MB BusType: 3

09:40:50.588 Disk 0 MBR read successfully

09:40:50.591 Disk 0 MBR scan

09:40:50.595 Disk 0 Windows VISTA default MBR code

09:40:50.635 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048

09:40:50.651 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 141597 MB offset 3074048

09:40:50.688 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 9529 MB offset 293064704

09:40:50.695 Disk 0 scanning sectors +312580096

09:40:50.801 Disk 0 scanning C:\Windows\system32\drivers

09:41:01.171 Service scanning

09:41:32.701 Modules scanning

09:41:59.932 Scan finished successfully

09:42:23.017 Disk 0 MBR has been saved successfully to "C:\Users\Carl\Desktop\MBR.dat"

09:42:23.027 The log file has been saved successfully to "C:\Users\Carl\Desktop\aswMBR.txt"

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.