Jump to content

Suspicious entries reappear after Ransom Trojan


Recommended Posts

About 4 days ago my laptop (Windows XP) was hijacked by a Ransom trojan. My laptop "locked up" with the welcoming and friendly screen "Your Computer is Locked Unless You Pay The $200 Fee" message which demanded I immediately take $200 cash to a local MoneyPak outlet.

I ran an Avast scan and then MalwareBytes scan and they both deleted the following:

MalwareBytes deleted "Trojan.Downloader" in Local Settings\Temp\install_0_msi.exe.

And Avast Scan detected Win32.Malware-gen.and quaranteed it in Virus Chest.

Both MalareBytes and Avast scans are now "clean" and the "Ransom Screen" has not returned...HOWEVER, the following suspicious items keep reappearing periodically:

The RogueKiller scan report (I scan only) revealed this:

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] install_0_msi.exe -- C:\DOCUME~1\VINCE\LOCALS~1\Temp\install_0_msi.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤

[sUSP PATH] ctfmon.lnk @VINCE :

C:\WINDOWS\system32\rundll32.exe|C:\DOCUME~1\VINCE\LOCALS~1\Temp\install_0_msi.exe -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Most of these items no longer appear on the RogueKiller scan, however the two HJ items still remain (see below) and still persist in RogueKiller scans:

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Also, periodically the "Bad Process" below reappears in RogueKiller:

¤¤¤ Bad processes: 1 ¤¤¤

[HJ NAME] notepad.exe -- C:\WINDOWS\notepad.exe -> KILLED [TermProc]

I am concerned about these 2 entries RogueKiller detects in the Registry:

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Should I have RogueKiller delete the 2 above items in the Registry?

I have included the most recent logs from DDS,RogueKiller, and HiJackThis.

Thanks for any help you can offer.

dds.txt

attach.txt

RKreport6.txt

hijackthis-08-22-2012.log

Link to post
Share on other sites

hi

Update MalwareBytes AntiMalware and Run a Quick Scan.

Post the log it produces

THEN

Delete your previous RogueKiller version and all the logs please

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

RGKRScan.png

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.

RGKRDelete.png

  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Link to post
Share on other sites

Thanks aliB,

Here are the scan report postings you requested:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.23.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

VINCE :: VINCENT [administrator]

8/23/2012 1:40:56 PM

mbam-log-2012-08-23 (13-40-56).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 202579

Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Next is the first RogueKiller Scan:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: VINCE [Admin rights]

Mode: Scan -- Date: 08/23/2012 14:07:35

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHV2100BH PL +++++

--- User ---

[MBR] 56d1e1ccd511aa6b25601cd215fd9c4c

[bSP] e5a07fd5c10d4d4c3f08106a8a368872 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95142 Mo

3 - [XXXXXX] UNKNOWN (0x88) [VISIBLE] Offset (sectors): 194852385 | Size: 251 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[6].txt >>

RKreport[5].txt ; RKreport[6].txt

And here below is the 2nd RogueKiller Report:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: VINCE [Admin rights]

Mode: Remove -- Date: 08/23/2012 14:12:07

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHV2100BH PL +++++

--- User ---

[MBR] 56d1e1ccd511aa6b25601cd215fd9c4c

[bSP] e5a07fd5c10d4d4c3f08106a8a368872 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95142 Mo

3 - [XXXXXX] UNKNOWN (0x88) [VISIBLE] Offset (sectors): 194852385 | Size: 251 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[7].txt >>

RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt

And last, here is the third RogueKiller report:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: VINCE [Admin rights]

Mode: Shortcuts HJfix -- Date: 08/23/2012 14:15:10

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤

Desktop: Success 0 / Fail 0

Quick launch: Success 0 / Fail 0

Programs: Success 4 / Fail 0

Start menu: Success 0 / Fail 0

User folder: Success 56 / Fail 0

My documents: Success 542 / Fail 0

My favorites: Success 0 / Fail 0

My pictures: Success 0 / Fail 0

My music: Success 0 / Fail 0

My videos: Success 0 / Fail 0

Local drives: Success 768 / Fail 0

Backup: [NOT FOUND]

Drives:

[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored

[D:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[8].txt >>

RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt

...end of scanned reports.

Link to post
Share on other sites

hi

hi

Step 1

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    OTL_Main_Tutorial.gif
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    qmgr.dll
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Step 2

please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Link to post
Share on other sites

Okay aliB: Here are the scan reports for OTL, Extras, and Results (Listparts):

First is the OTL scan:

OTL logfile created on: 8/23/2012 3:39:49 PM - Run 2

OTL by OldTimer - Version 3.2.58.1 Folder = C:\Documents and Settings\VINCE\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 723.51 Mb Available Physical Memory | 71.35% Memory free

2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.12% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 92.91 Gb Total Space | 45.91 Gb Free Space | 49.41% Space Free | Partition Type: NTFS

Computer Name: VINCENT | User Name: VINCE | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/23 14:55:48 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\VINCE\Desktop\OTL.exe

PRC - [2012/08/22 15:47:46 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe

PRC - [2012/08/21 02:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe

PRC - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe

PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/01/05 15:02:24 | 000,352,256 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe

PRC - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

PRC - [2005/12/16 01:21:00 | 000,151,552 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\Toshiba.exe

PRC - [2005/12/05 12:37:40 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

PRC - [2005/11/28 11:41:50 | 000,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

PRC - [2005/11/28 11:37:52 | 000,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

PRC - [2005/11/02 17:41:04 | 000,978,944 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

PRC - [2005/10/06 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE

PRC - [2005/08/16 12:23:12 | 000,188,416 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

PRC - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

PRC - [2005/05/31 22:00:12 | 000,282,624 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe

PRC - [2005/05/31 21:59:58 | 000,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe

PRC - [2005/04/26 17:13:20 | 000,122,880 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

PRC - [2005/03/17 18:37:26 | 000,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\TOSHIBA\IVP\ISM\pinger.exe

PRC - [2005/03/11 16:03:16 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TDispVol.exe

PRC - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

PRC - [2004/12/30 01:32:20 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe

PRC - [2004/08/28 01:37:00 | 000,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\RAMASST.exe

PRC - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe

========== Modules (No Company Name) ==========

MOD - [2012/08/23 02:12:48 | 001,803,264 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12082300\algo.dll

MOD - [2011/11/03 08:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll

MOD - [2011/02/04 17:48:30 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll

MOD - [2008/04/13 17:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll

MOD - [2008/04/13 17:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll

MOD - [2007/03/01 23:54:32 | 000,657,920 | ---- | M] () -- C:\Program Files\File Shredder\fsshell.dll

MOD - [2006/01/04 19:14:36 | 000,049,152 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TouchPad_ONOFF.dll

MOD - [2005/11/28 11:59:16 | 000,876,544 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\Libeay32.dll

MOD - [2005/11/28 11:59:16 | 000,208,965 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\iWMSProv.dll

MOD - [2005/11/28 11:59:16 | 000,053,322 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\IntStngs.dll

MOD - [2005/11/23 15:55:38 | 000,118,784 | ---- | M] () -- C:\WINDOWS\system32\TCtrlIO.dll

MOD - [2005/11/03 11:37:58 | 000,970,862 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\acAuth.dll

MOD - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

MOD - [2004/07/20 18:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll

MOD - [2002/03/03 05:40:00 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\TDispVol.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/08/22 15:47:46 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)

SRV - [2012/08/15 08:34:47 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2005/12/20 12:22:14 | 000,035,328 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)

SRV - [2005/07/12 18:14:42 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)

SRV - [2005/01/17 17:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)

SRV - [2004/08/28 01:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\VINCE\LOCALS~1\Temp\mbr.sys -- (mbr)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)

DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)

DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)

DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)

DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)

DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)

DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)

DRV - [2006/02/16 02:56:07 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)

DRV - [2005/12/09 17:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService)

DRV - [2005/12/04 10:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51)

DRV - [2005/11/30 12:01:02 | 000,043,392 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)

DRV - [2005/11/30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)

DRV - [2005/11/28 12:09:26 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2005/11/15 10:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2005/10/20 15:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)

DRV - [2005/10/06 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2005/10/06 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2005/10/06 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2005/10/06 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2005/10/06 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2005/10/06 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2005/10/06 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)

DRV - [2005/09/09 15:47:10 | 000,009,344 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)

DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)

DRV - [2005/08/24 16:20:28 | 000,009,472 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tbiosdrv.sys -- (tbiosdrv)

DRV - [2005/06/02 04:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)

DRV - [2005/01/12 01:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\KR10N.sys -- (KR10N)

DRV - [2003/09/19 02:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)

DRV - [2003/01/29 15:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

DRV - [2003/01/10 13:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

IE - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC

IE - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

========== Chrome ==========

CHR - homepage: http://www.google.com/

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},

CHR - homepage: http://www.google.com/

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\pdf.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\gcswf32.dll

CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll

CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll

CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll

CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

CHR - Extension: YouTube = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\

CHR - Extension: Adblock Plus (Beta) = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.2_0\

CHR - Extension: Google Search = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\

CHR - Extension: avast! WebRep = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\

CHR - Extension: Gmail = C:\Documents and Settings\VINCE\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/10 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Advertising Cookie Opt-out) - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll (Google Inc)

O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

O3 - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)

O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

O4 - HKLM..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)

O4 - HKLM..\Run: [intelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)

O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found

O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [TDispVol] C:\WINDOWS\System32\TDispVol.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TFncKy] TFncKy.exe File not found

O4 - HKLM..\Run: [THotkey] C:\Program Files\TOSHIBA\TOSHIBA Applet\THotkey.exe (TOSHIBA)

O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)

O4 - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2572287090-2478138611-3373103267-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1

O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found

O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Reg Error: Key error. File not found

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1314077309546 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1329914008343 (MUWebControl Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F8F58A14-40B9-45D5-BF88-CCDB59F4AC52}: DhcpNameServer = 68.105.28.12 68.105.29.12

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O24 - Desktop Components:2 (My Current Home Page) - About:Home

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/02/15 08:38:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/08/23 14:57:08 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\VINCE\Desktop\OTL.exe

[2012/08/23 13:45:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\New HiJack Logs etc

[2012/08/22 18:18:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\Previous Older HiJack Logs

[2012/08/22 17:54:51 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\VINCE\Desktop\dds.com

[2012/08/22 17:29:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\More Previous Older RK Logs

[2012/08/22 16:00:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\backups

[2012/08/22 15:48:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2012/08/22 15:48:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2012/08/22 15:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2012/08/22 04:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2012/08/20 14:48:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\RK_Quarantine

[2012/08/20 14:19:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\Movies n Entertainment

[2012/08/20 14:07:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Application Data\Malwarebytes

[2012/08/20 14:06:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2012/08/20 14:06:55 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/08/20 14:06:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/08/18 18:00:46 | 000,000,000 | ---D | C] -- C:\Program Files\HiJack This

[2012/08/18 17:56:48 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\VINCE\Desktop\HijackThis.exe

[2012/08/18 15:05:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\VINCE\Recent

[2012/08/17 14:47:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\My Documents\PC Virus Chest etc

[2012/08/01 15:45:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\Science n Astronomy

[2012/07/29 12:27:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\VINCE\Desktop\Ice Cream

[2 C:\Documents and Settings\VINCE\Desktop\*.tmp files -> C:\Documents and Settings\VINCE\Desktop\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\Documents and Settings\VINCE\*.tmp files -> C:\Documents and Settings\VINCE\*.tmp -> ]

[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/23 15:34:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2012/08/23 15:21:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2572287090-2478138611-3373103267-1005UA.job

[2012/08/23 15:15:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2012/08/23 14:55:48 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\VINCE\Desktop\OTL.exe

[2012/08/23 14:09:47 | 000,000,142 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Malwarebytes FORUM.url

[2012/08/23 14:01:38 | 001,558,528 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\RogueKiller .exe

[2012/08/22 18:48:05 | 000,000,141 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Malware and HiJack Forum for pumpernickel.url

[2012/08/22 17:53:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\VINCE\Desktop\dds.com

[2012/08/22 16:12:00 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job

[2012/08/22 15:36:51 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2012/08/22 15:36:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/08/22 15:36:32 | 1063,309,312 | -HS- | M] () -- C:\hiberfil.sys

[2012/08/22 05:59:27 | 000,002,269 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Cookienator.lnk

[2012/08/22 05:33:57 | 000,000,137 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\MalwareBytes pumpernickel login.url

[2012/08/22 05:21:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2572287090-2478138611-3373103267-1005Core.job

[2012/08/22 04:24:55 | 000,002,295 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Google Chrome.lnk

[2012/08/22 04:24:55 | 000,002,273 | ---- | M] () -- C:\Documents and Settings\VINCE\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2012/08/22 04:12:51 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys

[2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys

[2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys

[2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys

[2012/08/21 02:13:14 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys

[2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys

[2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys

[2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys

[2012/08/21 02:12:33 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

[2012/08/21 02:12:23 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

[2012/08/20 14:06:58 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/08/19 02:28:12 | 000,000,209 | RHS- | M] () -- C:\boot.ini

[2012/08/18 17:28:38 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\VINCE\Desktop\HijackThis.exe

[2012/08/18 16:49:56 | 083,023,306 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ism_0_llatsni.pad

[2012/08/18 04:40:01 | 000,000,166 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Accu WEATHER.url

[2012/08/17 16:45:56 | 000,002,231 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\SlimCleaner.lnk

[2012/08/16 17:00:31 | 000,000,183 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Economic DEATH Spiral.url

[2012/08/07 03:57:45 | 000,004,711 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Medicare Cost of rehab for seniors - Aug. 7, 2012.url

[2012/08/07 03:55:03 | 000,004,733 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Medicare Avoid big rehab bills - Aug. 7, 2012.url

[2012/08/02 14:28:19 | 000,001,529 | ---- | M] () -- C:\Documents and Settings\VINCE\Desktop\Mission Viejo Weather Forecast and Conditions - weather.com.url

[2012/08/02 09:14:13 | 000,000,941 | ---- | M] () -- C:\Documents and Settings\VINCE\Start Menu\Programs\Startup\wkcalrem.LNK

[2012/07/28 03:32:22 | 000,054,156 | ---- | M] () -- C:\WINDOWS\QTFont.qfn

[2012/07/28 03:32:22 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

[2 C:\Documents and Settings\VINCE\Desktop\*.tmp files -> C:\Documents and Settings\VINCE\Desktop\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\Documents and Settings\VINCE\*.tmp files -> C:\Documents and Settings\VINCE\*.tmp -> ]

[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/23 14:09:27 | 000,000,142 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Malwarebytes FORUM.url

[2012/08/23 14:02:18 | 001,558,528 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\RogueKiller .exe

[2012/08/22 18:47:31 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Malware and HiJack Forum for pumpernickel.url

[2012/08/22 05:33:18 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\MalwareBytes pumpernickel login.url

[2012/08/20 14:06:58 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

[2012/08/18 18:06:23 | 1063,309,312 | -HS- | C] () -- C:\hiberfil.sys

[2012/08/18 04:39:43 | 000,000,166 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Accu WEATHER.url

[2012/08/17 14:12:32 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ism_0_llatsni.pad

[2012/08/16 16:59:58 | 000,000,183 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Economic DEATH Spiral.url

[2012/08/07 03:57:45 | 000,004,711 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Medicare Cost of rehab for seniors - Aug. 7, 2012.url

[2012/08/07 03:55:03 | 000,004,733 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Medicare Avoid big rehab bills - Aug. 7, 2012.url

[2012/08/02 14:28:19 | 000,001,529 | ---- | C] () -- C:\Documents and Settings\VINCE\Desktop\Mission Viejo Weather Forecast and Conditions - weather.com.url

[2012/08/02 09:14:13 | 000,000,941 | ---- | C] () -- C:\Documents and Settings\VINCE\Start Menu\Programs\Startup\wkcalrem.LNK

[2012/07/28 03:32:22 | 000,054,156 | ---- | C] () -- C:\WINDOWS\QTFont.qfn

[2012/07/28 03:32:22 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

[2012/02/22 05:55:09 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2011/09/24 04:09:35 | 000,000,616 | R-S- | C] () -- C:\Documents and Settings\VINCE\ntuser.pol

[2011/08/26 03:32:37 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\VINCE\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/08/24 01:36:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\VINCE\Application Data\wklnhst.dat

[2011/08/23 03:11:32 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\VINCE\Local Settings\Application Data\FASTWiz.html

[2011/08/23 02:13:08 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2011/08/21 19:05:41 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\VINCE\Local Settings\Application Data\fusioncache.dat

[2011/08/21 18:41:35 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2011/08/21 18:40:51 | 000,004,528 | R--- | C] () -- C:\WINDOWS\System32\SETBROWS.EXE

========== LOP Check ==========

[2006/02/16 02:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\toshiba

[2011/08/23 01:13:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software

[2006/02/16 02:55:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2006/02/16 02:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\toshiba

[2011/08/23 01:48:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\VINCE\Application Data\IObit

[2012/05/29 13:56:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\VINCE\Application Data\Template

[2006/02/16 02:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\VINCE\Application Data\toshiba

[2011/10/20 18:08:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\VINCE\Application Data\TrueCrypt

[2012/08/22 16:12:00 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\avast! Emergency Update.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >

[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe

[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

[2004/08/10 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: QMGR.DLL >

[2004/08/10 05:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll

[2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: SERVICES >

[2004/08/10 05:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES._ >

[2004/08/10 05:00:00 | 000,001,989 | ---- | M] () MD5=29BB3BBBE3D49156A42BFB3DD000F554 -- C:\WINDOWS\I386\SERVICES._

< MD5 for: SERVICES.EX_ >

[2004/08/10 05:00:00 | 000,049,955 | ---- | M] () MD5=85A738BA493104ED103B26CADEB8B543 -- C:\WINDOWS\I386\SERVICES.EX_

< MD5 for: SERVICES.EXE >

[2009/02/06 04:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe

[2008/04/13 17:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe

[2008/04/13 17:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe

[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe

[2009/02/06 04:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe

[2004/08/10 05:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.EXE-2F433351.PF >

[2012/08/18 19:56:39 | 000,016,912 | ---- | M] () MD5=F7195B632A30387045C208ABBDA2F1D7 -- C:\WINDOWS\Prefetch\SERVICES.EXE-2F433351.pf

< MD5 for: SERVICES.LNK >

[2011/11/14 20:15:03 | 000,001,613 | ---- | M] () MD5=0CD82C09219DA80815468A05557511B2 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MS_ >

[2004/08/10 05:00:00 | 000,003,649 | ---- | M] () MD5=64E9F61D2ED093C361862DE36433B5E1 -- C:\WINDOWS\I386\SERVICES.MS_

< MD5 for: SERVICES.MSC >

[2004/08/10 05:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >

[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe

[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

[2004/08/10 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >

[2004/08/10 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe

[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >

[2004/08/10 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

[2012/07/03 13:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe

[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s >

"Type" = 32

"Start" = 3

"ErrorControl" = 1

"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs -- [2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation)

"DisplayName" = Background Intelligent Transfer Service

"DependOnService" = Rpcss [binary data] -- [2009/02/09 05:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation)

"DependOnGroup" = [binary data]

"ObjectName" = LocalSystem

"Description" = Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

"FailureActions" = 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 68 E3 0C 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 01 00 00 00 60 EA 00 00 [binary data]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]

"ServiceDll" = C:\WINDOWS\system32\qmgr.dll -- [2008/04/13 17:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]

"Security" = [binary data over 100 bytes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Enum]

"0" = Root\LEGACY_BITS\0000

"Count" = 1

"NextInstance" = 1

< End of report >

And here is the scan for "Extras":

OTL Extras logfile created on: 8/23/2012 3:01:09 PM - Run 1

OTL by OldTimer - Version 3.2.58.1 Folder = C:\Documents and Settings\VINCE\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.98 Mb Total Physical Memory | 758.14 Mb Available Physical Memory | 74.77% Memory free

2.39 Gb Paging File | 2.10 Gb Available in Paging File | 88.12% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 92.91 Gb Total Space | 45.91 Gb Free Space | 49.41% Space Free | Partition Type: NTFS

Computer Name: VINCENT | User Name: VINCE | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)

Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)

Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)

"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)

"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\1140083713\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1140083713\EE\AOLServiceHost.exe:*:Disabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL

"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Application Loader -- (America Online, Inc.)

"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Disabled:AOLTopSpeed

"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Disabled:AOLTsMon

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0

"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe

"{26A24AE4-039D-4CA4-87B4-2F83217006FF}" = Java 7 Update 6

"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA

"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0

"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades

"{4415B0E6-B266-49C3-B501-FFEF76C3D71B}" = Google Advertising Cookie Opt-out

"{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = TIPCI

"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility

"{64DD71BC-3109-4C88-9AD3-D5422644B722}" = TOSHIBA Hotkey Utility

"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8

"{69BE47C2-36FE-4397-8199-85D8EAE69982}" = TOSHIBA TouchPad ON/Off Utility

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{6E2847AC-0F73-4FE5-AF7C-501AD20F1DDE}" = SlimCleaner

"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0

"{78C68CB9-3DF5-44F3-AB9D-FA305C5EB85C}" = TOSHIBA Utilities

"{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}" = Microsoft Works Suite Add-in for Microsoft Word

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver

"{8B12BA86-ADAC-4BA6-B441-FFC591087252}" = TOSHIBA Virtual Sound

"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr

"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp

"{901B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002

"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA

"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig

"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!

"{97D8751D-18A4-482B-9E9C-31DAD9BEC1EC}" = MyConnect Special Offer

"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML

"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver

"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0

"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree

"{BE3F89C0-42D5-11D5-A40A-00105AC8331A}" = Metamail (Toshiba Registration Utility)

"{BF307EDA-A176-4D83-9775-D337810CF7A7}" = Cookienator

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C45F4811-31D5-4786-801D-F79CD06EDD85}" = SD Secure Module

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba

"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack

"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore

"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications

"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi

"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe

"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic

"7-Zip" = 7-Zip 9.22beta

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Photoshop 7.0" = Adobe Photoshop 7.0

"avast" = avast! Free Antivirus

"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto

"CCleaner" = CCleaner

"Duplicate Cleaner" = Duplicate Cleaner 2.1

"File Shredder_is1" = File Shredder 2.0

"ie8" = Windows Internet Explorer 8

"InstallShield_{4497AFF6-98C4-4F49-B073-F48F42BCBF9E}" = Texas Instruments PCIxx21/x515/xx12 drivers.

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool

"Power Saver" = TOSHIBA Power Saver

"ProInst" = Intel® PROSet/Wireless Software

"PROSet" = Intel® PRO Network Connections Drivers

"QuickTime" = QuickTime

"RealPlayer 6.0" = RealPlayer Basic

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"TOSHIBA Game Console" = TOSHIBA Game Console

"TOSHIBA Software Modem" = TOSHIBA Software Modem

"TrueCrypt" = TrueCrypt

"ViewpointMediaPlayer" = Viewpoint Media Player

"WildTangent CDA" = WildTangent Web Driver

"Winamp" = Winamp

"Windows Media Format Runtime" = Windows Media Format Runtime

"Windows XP Service Pack" = Windows XP Service Pack 3

"Works2003Setup" = Microsoft Works 2003 Setup Launcher

"WT004722" = Bejeweled 2 Deluxe

"WT004723" = Blasterball 2 Revolution

"WT004725" = SCRABBLE

"WT006066" = FATE

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

"Winamp Detect" = Winamp Detector Plug-in

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 7/11/2012 12:09:43 AM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application AcroRd32.exe, version 7.0.0.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2012 12:09:44 AM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application AcroRd32.exe, version 7.0.0.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2012 12:09:45 AM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application AcroRd32.exe, version 7.0.0.0, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2012 12:10:21 AM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 10.0.6612.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2012 12:10:21 AM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 10.0.6612.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/13/2012 8:16:12 AM | Computer Name = VINCENT | Source = Application Error | ID = 1000

Description = Faulting application chrome.exe, version 20.0.1132.57, faulting module

wininet.dll, version 8.0.6001.19222, fault address 0x0000eccb.

Error - 7/15/2012 8:45:58 PM | Computer Name = VINCENT | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting

module igfxpph.dll, version 3.0.0.4436, fault address 0x00007ee8.

Error - 7/15/2012 8:46:42 PM | Computer Name = VINCENT | Source = Application Error | ID = 1000

Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module

dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 7/18/2012 11:23:48 PM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 10.0.6612.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2012 11:23:49 PM | Computer Name = VINCENT | Source = Application Hang | ID = 1002

Description = Hanging application WINWORD.EXE, version 10.0.6612.0, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]

Error - 8/20/2012 6:06:38 PM | Computer Name = VINCENT | Source = W32Time | ID = 39452701

Description = The time provider NtpClient is configured to acquire time from one

or more time sources, however none of the sources are currently accessible. No attempt

to contact a source will be made for 14 minutes. NtpClient has no source of accurate

time.

Error - 8/20/2012 6:07:51 PM | Computer Name = VINCENT | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.128 for the Network Card with network

address 0013023E5168 has been denied by the DHCP server 192.168.1.1 (The DHCP Server

sent a DHCPNACK message).

Error - 8/22/2012 7:09:56 AM | Computer Name = VINCENT | Source = Dhcp | ID = 1000

Description = Your computer has lost the lease to its IP address 192.168.1.100 on

the Network Card with network address 0013023E5168.

Error - 8/22/2012 7:10:05 AM | Computer Name = VINCENT | Source = W32Time | ID = 39452689

Description = Time Provider NtpClient: An error occurred during DNS lookup of the

manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup

again in 15 minutes. The error was: A socket operation was attempted to an unreachable

host. (0x80072751)

Error - 8/22/2012 7:10:05 AM | Computer Name = VINCENT | Source = W32Time | ID = 39452701

Description = The time provider NtpClient is configured to acquire time from one

or more time sources, however none of the sources are currently accessible. No attempt

to contact a source will be made for 15 minutes. NtpClient has no source of accurate

time.

Error - 8/22/2012 7:10:05 AM | Computer Name = VINCENT | Source = W32Time | ID = 39452689

Description = Time Provider NtpClient: An error occurred during DNS lookup of the

manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup

again in 15 minutes. The error was: A socket operation was attempted to an unreachable

host. (0x80072751)

Error - 8/22/2012 7:10:05 AM | Computer Name = VINCENT | Source = W32Time | ID = 39452701

Description = The time provider NtpClient is configured to acquire time from one

or more time sources, however none of the sources are currently accessible. No attempt

to contact a source will be made for 15 minutes. NtpClient has no source of accurate

time.

Error - 8/22/2012 8:36:09 AM | Computer Name = VINCENT | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.100 for the Network Card with network

address 0013023E5168 has been denied by the DHCP server 192.168.1.1 (The DHCP Server

sent a DHCPNACK message).

Error - 8/22/2012 8:36:14 AM | Computer Name = VINCENT | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

KR10N

Error - 8/22/2012 6:36:38 PM | Computer Name = VINCENT | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.1.100 for the Network Card with network

address 0013023E5168 has been denied by the DHCP server 192.168.1.1 (The DHCP Server

sent a DHCPNACK message).

< End of report >

And here is the scan for "Results" (Listparts)

ListParts by Farbar Version: 10-08-2012

Ran by VINCE (administrator) on 23-08-2012 at 15:55:28

Windows XP (X86)

Running From: C:\Documents and Settings\VINCE\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 32%

Total physical RAM: 1013.98 MB

Available physical RAM: 680.73 MB

Total Pagefile: 2442.85 MB

Available Pagefile: 2139.68 MB

Total Virtual: 2047.88 MB

Available Virtual: 2000.94 MB

======================= Partitions =========================

1 Drive c: (SQ004033P03) (Fixed) (Total:92.91 GB) (Free:45.88 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 93 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 93 GB 32 KB

Partition 2 Unknown 251 MB 93 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C SQ004033P03 NTFS Partition 93 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 2

Type : 88

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

End of postings of Scan logs ....

Link to post
Share on other sites

hi

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application
    TDSSFront.JPG
  • Then click on Change parameters.
    TDSSConfig.JPG
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click the Start Scan button.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    TDSSFound.JPG
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports
    TDSSEnd.JPG
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Link to post
Share on other sites

Hi aliB:

I finished the TDSSKiller scans. Although 31 suspicious objects were detected, none of them were malicious (therefore, no options such as "Cure" appeared). Also, therefore nothing needed to be "neutralized" or "quarantined."

Although I am able to see the report, an actual text copy (text document) is not generated. I attempted to select all of the text in the report and "copy" it but it does not copy.

My impression is that since no malicious objects were found, my machine is now secure.

Link to post
Share on other sites

hi

Step 1

attempt to run TDSSKiller again and see if you can manage to get a log this time, make sure to read my instructions on TDSSKiller from my previous post

Step 2

ESET Online Scanner

  1. Click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png
Link to post
Share on other sites

aliB,

Regarding the ESET Scan. Before I do the initial scan you instructed me to check the box "Scan Archive". However, directly above that box there is another box marked "Remove Found Threats".

That box is already pre-checked. Should I uncheck that "Remove Found Threats" box or should I leave it checked as it is.

thanks

Link to post
Share on other sites

Hi aliB:

I am not able to run the ESET scanner. I cannot get past Step 2 of 4. I have tried numerous times and when it begins the Initialization Process of Downloading the Database, it runs for about 20 minutes and I see that about 75% has been downloaded. Then it jumps to 100% but I get an error message that says: "Unexpected Error 2002". At this point I cannot proceed to the screen. I only get an arrow pointing me backward to the previous screen.

I repeated the process and received the same result: "Unexpected Error 2002".

Then I completely Uninstalled the ESET program and deleted any remaining icons of this so that nothing remained. Then I went back to the website and Downloaded the ESET program all over again.

Once again, I started the scan (making sure both boxes were checked: "Remove all Threats" and "Scan Archives"). Once again it began the Initialization process of downloading the signature database, and after 20 minutes I received the same error message: "Unexpected Error 2002". I repeated the process again and got the same result.

Link to post
Share on other sites

aliB:

Regarding my previous post (post #11 re: unable to run ESET scanner). I forgot to mention that I also disabled my Avast antivirus shields during the last 2 attempts at running the ESET scanner. I received the same result: "Unexpected Error 2002."

Please see previous post (post #11) re: unable to run ESET scanner.

Link to post
Share on other sites

Here are the results of the Listparts scan:

ListParts by Farbar Version: 10-08-2012

Ran by VINCE (administrator) on 25-08-2012 at 11:45:05

Windows XP (X86)

Running From: C:\Documents and Settings\VINCE\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 26%

Total physical RAM: 1013.98 MB

Available physical RAM: 747.07 MB

Total Pagefile: 2442.85 MB

Available Pagefile: 2158.17 MB

Total Virtual: 2047.88 MB

Available Virtual: 2001.44 MB

======================= Partitions =========================

1 Drive c: (SQ004033P03) (Fixed) (Total:92.91 GB) (Free:45.56 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 93 GB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 93 GB 32 KB

Partition 2 Unknown 251 MB 93 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C SQ004033P03 NTFS Partition 93 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 2

Type : 88

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

Link to post
Share on other sites

Hi aliB:

It's been running fine now since a few days ago when I ran Malwarebytes (which detected and deleted Trojan.Downloader) and Avast (which detected and quarantined Win32.Malware.gen). Afterwards I also updated my Java to the most recent version.

My concern afterwards, was the 2 suspicious Registry entries that RogueKiller I had detected. Then you assisted me in deleting these 2 items that appeared in the Registry. And then I proceed to run all the other cleaners and scanners you told me to run.

So since doing all of this, I have not had any problems and everything is running smoothly. I also just now ran a new RogueKiller scan and "everything looks clean." Here is copy of the RogueKiller scan I just now ran:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: VINCE [Admin rights]

Mode: Scan -- Date: 08/25/2012 14:25:20

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHV2100BH PL +++++

--- User ---

[MBR] 56d1e1ccd511aa6b25601cd215fd9c4c

[bSP] e5a07fd5c10d4d4c3f08106a8a368872 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 95142 Mo

3 - [XXXXXX] UNKNOWN (0x88) [VISIBLE] Offset (sectors): 194852385 | Size: 251 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[8].txt >>

RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt

It looks good to me aliB; what do you think?

Also do you have any suggestions or recommendations to prevent this from happening in the future?

thanks

Link to post
Share on other sites

hi

Congratulations your logs appear clean :thumbsup:

Reset and Re-enable your System Restore

  • Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste the following:
    :Commands
    [clearallrestorepoints]
    [createrestorepoint]


  • Click the Run Fix button at the top
  • It might ask you to reboot, if so click YES

NEXT

  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
  • Click on the CleanUp button.
  • Click Yes to begin the cleanup process and remove tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

Recommendations

See Here for a list of recommendations for free Antivirus\AntiSpyware applications.

  • Keep Your windows up to date by regularly checking their website at:
    http://windowsupdate.microsoft.com/
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

    [*]MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    [*]Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more

    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up

    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from

    Here

    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.

    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

    [*]Click Here to learn how to keep a backup of your important files

    [*]FileHippo Update Checkker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Stay safe :wave:

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.