Infected with Win64/Patched.A on system.exe

L5R · May 25, 2013

Hello,

Last night AVG popped up to alert me that I was infected with "Win64/Patched.A" on system.exe. It said that it could not be removed by AVG and that it had to be "manually removed". I downloaded the MalwareBytes software and it wiped out about 19 other threats, but now it is constantly popping to let me know it has blocked several other threats. I have attached both of the DDS Logs and any help would be greatly appreciated.

Thank you!

Josh

dds.txt

attach.txt

D-FRED-BROWN · May 25, 2013

Hello L5R and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

TDSSKiller's logfile
MBAR mbar-log.txt and system-log.txt
ComboFix's report (C:\ComboFix.txt)
Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

L5R · May 25, 2013

Hey DFB, thanks for the help, much appreciated! No AVG pop-up's alerting me of the infection since after the 1st step which is great! All logs are attached and again, thank you very much for your help!

TDSSKiller.2.8.16.0_25.05.2013_21.00.35_log.txt

mbar-log-2013-05-25 (21-37-38).txt

mbar-log-2013-05-25 (21-12-07).txt

ComboFix.txt

checkup.txt

D-FRED-BROWN · May 25, 2013

Looking much better.

Please reboot, then go ahead and run MBAR and TDSSKiller once again and post each of their logs.

-------

Please download RogueKiller to your desktop

Quit all running programs
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
When prompted, type 1 and validate
The RKreport.txt shall be generated next to the executable.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

L5R · May 26, 2013

Apologies for the late reply! The logs are attached. Thank you again!

mbar-log-2013-05-26 (10-56-54).txt

TDSSKiller.2.8.17.0_26.05.2013_11.07.17_log.txt

RKreport1_S_05262013_02d1111.txt

D-FRED-BROWN · May 26, 2013

Looks good. You had a pretty nasty infection so I'd just like to run a few more scans in case there's anything left, though it's looking pretty good so far .

We need to create a New FULL OTL Report

Please download OTL from here if you have not done so already:
- Main Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Change the "Extra Registry" option to "SafeList"
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

L5R · May 26, 2013

Here are the logs:

OTL.txt

OTL logfile created on: 5/26/2013 7:16:54 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\USER\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.86 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 41.06% Memory free

5.72 Gb Paging File | 3.29 Gb Available in Paging File | 57.49% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 149.04 Gb Total Space | 107.12 Gb Free Space | 71.87% Space Free | Partition Type: NTFS

Drive D: | 148.65 Gb Total Space | 140.68 Gb Free Space | 94.64% Space Free | Partition Type: NTFS

Computer Name: USER-TOSH | User Name: USER | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/05/26 19:16:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe

PRC - [2013/05/23 06:44:09 | 000,825,808 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

PRC - [2012/12/11 03:52:44 | 003,147,384 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgui.exe

PRC - [2012/12/10 11:11:44 | 001,342,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgfws.exe

PRC - [2012/11/15 23:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe

PRC - [2012/10/22 13:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe

PRC - [2010/09/02 19:25:46 | 001,234,216 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe

PRC - [2010/08/27 18:20:14 | 001,811,456 | ---- | M] (Realsil Microelectronics Inc.) -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe

PRC - [2010/08/15 20:54:50 | 000,034,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe

PRC - [2010/06/03 17:09:00 | 000,304,560 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe

PRC - [2010/05/04 13:07:22 | 000,503,080 | ---- | M] (Nero AG) -- c:\Program Files (x86)\Nero\Update\NASvc.exe

PRC - [2010/03/03 15:42:02 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

PRC - [2010/03/03 15:41:58 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

PRC - [2009/07/28 21:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe

PRC - [2009/03/10 19:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe

========== Modules (No Company Name) ==========

MOD - [2013/05/23 06:44:07 | 000,393,168 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\ppgooglenaclpluginchrome.dll

MOD - [2013/05/23 06:43:59 | 004,051,408 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\pdf.dll

MOD - [2013/05/23 06:43:06 | 000,599,504 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\libglesv2.dll

MOD - [2013/05/23 06:43:05 | 000,124,368 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\libegl.dll

MOD - [2013/05/23 06:43:03 | 001,597,392 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\ffmpegsumo.dll

========== Services (SafeList) ==========

SRV:64bit: - [2010/09/28 13:30:28 | 000,489,384 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)

SRV:64bit: - [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)

SRV:64bit: - [2010/02/05 18:44:48 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)

SRV:64bit: - [2009/07/28 15:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)

SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV - [2013/05/24 21:53:26 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2013/05/15 18:13:28 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)

SRV - [2013/02/28 18:45:16 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2012/12/10 11:11:44 | 001,342,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2013\avgfws.exe -- (avgfws)

SRV - [2012/11/15 23:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)

SRV - [2012/10/22 13:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe -- (avgwd)

SRV - [2012/08/23 11:31:24 | 002,148,216 | ---- | M] (AVG) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe -- (TuneUp.UtilitiesSvc)

SRV - [2010/08/27 18:20:14 | 001,811,456 | ---- | M] (Realsil Microelectronics Inc.) [Auto | Running] -- C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe -- (IconMan_R)

SRV - [2010/05/11 10:40:52 | 000,124,368 | ---- | M] (Toshiba Europe GmbH) [On_Demand | Stopped] -- C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe -- (TemproMonitoringService)

SRV - [2010/05/04 13:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- c:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate)

SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/03/03 15:42:02 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)

SRV - [2010/03/03 15:41:58 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)

SRV - [2010/01/28 17:44:40 | 000,249,200 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe -- (cfWiMAXService)

SRV - [2009/10/06 10:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)

SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2009/03/10 19:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2013/01/19 11:16:16 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)

DRV:64bit: - [2012/11/15 23:33:24 | 000,111,968 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)

DRV:64bit: - [2012/10/22 13:02:44 | 000,154,464 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- (AVGIDSDriver)

DRV:64bit: - [2012/10/15 03:48:50 | 000,063,328 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)

DRV:64bit: - [2012/10/02 03:30:38 | 000,185,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)

DRV:64bit: - [2012/09/21 03:46:04 | 000,200,032 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)

DRV:64bit: - [2012/09/21 03:46:00 | 000,225,120 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\avgloga.sys -- (Avgloga)

DRV:64bit: - [2012/09/14 03:05:18 | 000,040,800 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)

DRV:64bit: - [2012/09/04 10:39:32 | 000,050,296 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgfwd6a.sys -- (Avgfwfd)

DRV:64bit: - [2012/03/01 07:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)

DRV:64bit: - [2011/03/11 07:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2011/03/11 07:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2011/03/04 05:57:01 | 000,020,592 | ---- | M] (Compal Electronics, INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CeKbFilter.sys -- (CeKbFilter)

DRV:64bit: - [2010/10/05 22:23:18 | 007,884,288 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)

DRV:64bit: - [2010/10/05 21:15:14 | 000,285,696 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)

DRV:64bit: - [2010/07/29 06:10:42 | 010,610,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)

DRV:64bit: - [2010/06/23 16:10:56 | 000,344,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)

DRV:64bit: - [2010/04/28 12:32:20 | 000,932,384 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtl8192ce.sys -- (RTL8192Ce)

DRV:64bit: - [2010/03/22 11:55:20 | 000,046,192 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\LPCFilter.sys -- (LPCFilter)

DRV:64bit: - [2010/03/10 19:51:32 | 000,316,464 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)

DRV:64bit: - [2010/02/27 08:32:14 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)

DRV:64bit: - [2010/01/15 13:22:08 | 000,538,136 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)

DRV:64bit: - [2010/01/07 10:05:46 | 000,232,992 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)

DRV:64bit: - [2009/09/17 13:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)

DRV:64bit: - [2009/07/30 20:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)

DRV:64bit: - [2009/07/14 16:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)

DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/14 02:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/06/22 18:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)

DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/04/08 15:28:46 | 000,068,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)

DRV:64bit: - [2008/04/16 15:49:34 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)

DRV - [2012/07/04 15:26:12 | 000,011,880 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys -- (TuneUpUtilitiesDrv)

DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {C95B573C-C244-4BFA-B1C3-39AB0510D636}

IE:64bit: - HKLM\..\SearchScopes\{C95B573C-C244-4BFA-B1C3-39AB0510D636}: "URL" = http://www.bing.com/search?q={searchTerms}&form=TSHMDF&pc=MATM&src=IE-SearchBox

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKLM\..\SearchScopes,DefaultScope = {6ABE3B40-E036-457C-8FF1-6A6F650260FB}

IE - HKLM\..\SearchScopes\{6ABE3B40-E036-457C-8FF1-6A6F650260FB}: "URL" = http://www.bing.com/search?q={searchTerms}&form=TSHMDF&pc=MATM&src=IE-SearchBox

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = -

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Before = http://toshiba.msn.com

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\..\SearchScopes,DefaultScope = {6ABE3B40-E036-457C-8FF1-6A6F650260FB}

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&affID=120518&tt=gc_&babsrc=SP_ss&mntrId=B08588252CC85B98

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\..\SearchScopes\{6ABE3B40-E036-457C-8FF1-6A6F650260FB}: "URL" = http://www.bing.com/search?q={searchTerms}&r=453

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\..\SearchScopes\{D2058B99-375B-447E-9012-A898C1D18CD8}: "URL" = http://rover.ebay.com/rover/1/710-44557-9400-9/4?satitle={searchTerms}

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\..\SearchScopes\{E9E0294A-F5D3-4187-91E0-D25D839831A3}: "URL" = http://www.amazon.co.uk/gp/search?ie=UTF8&keywords={searchTerms}&tag=tochibauk-win7-ie-search-21&index=blended&linkCode=ur2

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

[2013/03/13 13:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\USER\AppData\Roaming\mozilla\Extensions

[2013/05/24 20:54:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\USER\AppData\Roaming\mozilla\firefox\Profiles\jojduxv5.default\extensions

[2012/12/13 21:29:00 | 000,199,445 | ---- | M] () (No name found) -- C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\jojduxv5.default\extensions\movie2kdownloader@movie2kdownloader.com.xpi

[2013/05/24 20:54:30 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\jojduxv5.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[2013/05/24 20:15:42 | 000,006,503 | ---- | M] () -- C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\jojduxv5.default\searchplugins\babylon.xml

[2013/05/24 20:15:42 | 000,006,503 | ---- | M] () -- C:\Users\USER\AppData\Roaming\mozilla\firefox\profiles\jojduxv5.default\searchplugins\BrowserProtect.xml

[2013/05/24 21:53:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions

[2013/05/24 21:53:28 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter},

CHR - homepage: http://www.google.com/

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll

CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.94\pdf.dll

CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

CHR - plugin: Java Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll

CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll

CHR - plugin: McAfee Security Scanner + (Enabled) = C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll

CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll

CHR - plugin: Windows Live Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll

CHR - Extension: Angry Birds = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\

CHR - Extension: Google Docs = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\

CHR - Extension: Google Drive = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\

CHR - Extension: YouTube = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\

CHR - Extension: Slinky Elegant = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmanlajnpdncmhfkiccmbgeocgbncfln\19.6_0\

CHR - Extension: Guitarist's Reference = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cddaabhppoebkmalboinjhgofbhdbcgk\1_0\

CHR - Extension: Google Search = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\

CHR - Extension: AdBlock = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.63_0\

CHR - Extension: Youtube Subscriptions as Default Page = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\klljlfcipmgohgfdgmliaobikgdoeaah\1.1.4_0\

CHR - Extension: Gmail = C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/05/25 22:33:18 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (TOSHIBA Media Controller Plug-in) - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)

O4:64bit: - HKLM..\Run: [smartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [smoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe (Toshiba Europe GmbH)

O4:64bit: - HKLM..\Run: [Toshiba TEMPRO] C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe (Toshiba Europe GmbH)

O4:64bit: - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)

O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [AVG_UI] C:\Program Files (x86)\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)

O4 - HKLM..\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)

O4 - HKLM..\Run: [NBAgent] c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe (Nero AG)

O4 - HKLM..\Run: [sVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)

O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)

O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)

O4 - HKU\.DEFAULT..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe (TOSHIBA)

O4 - HKU\S-1-5-18..\Run: [TOSHIBA Online Product Information] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\TOPI.exe (TOSHIBA)

O4 - HKU\S-1-5-21-2920553064-793539459-1004061606-1000..\Run: [start Killer] C:\Program Files\StartKiller\StartKiller.exe (Tordex)

O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2920553064-793539459-1004061606-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O13 - gopher Prefix: missing

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BAFEA559-16B7-4727-BBC3-272AF6FBCBF6}: DhcpNameServer = 192.168.0.1

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O18:64bit: - Protocol\Handler\skype4com - No CLSID value found

O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found

O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found

O18:64bit: - Protocol\Handler\wlpg - No CLSID value found

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/05/26 19:16:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe

[2013/05/26 11:10:36 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\RK_Quarantine

[2013/05/26 11:08:38 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\New folder

[2013/05/26 10:39:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)

[2013/05/25 22:38:08 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2013/05/25 22:33:21 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN

[2013/05/25 22:24:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2013/05/25 22:24:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2013/05/25 22:24:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2013/05/25 22:24:42 | 000,000,000 | ---D | C] -- C:\Qoobox

[2013/05/25 22:24:29 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2013/05/25 22:23:35 | 005,071,432 | R--- | C] (Swearware) -- C:\Users\USER\Desktop\ComboFix.exe

[2013/05/25 21:10:47 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\mbar-1.06.0.1003

[2013/05/25 21:09:44 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\Logs

[2013/05/25 21:03:04 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2013/05/25 21:01:17 | 000,000,000 | ---D | C] -- C:\Users\USER\Desktop\tdsskiller

[2013/05/25 21:00:17 | 002,239,840 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\USER\Desktop\tdsskiller.exe

[2013/05/25 18:04:06 | 000,035,192 | ---- | C] (AVG) -- C:\Windows\SysNative\TURegOpt.exe

[2013/05/25 18:04:01 | 000,026,488 | ---- | C] (AVG) -- C:\Windows\SysNative\authuitu.dll

[2013/05/25 18:04:01 | 000,021,880 | ---- | C] (AVG) -- C:\Windows\SysWow64\authuitu.dll

[2013/05/25 18:03:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp

[2013/05/25 18:03:19 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\AVG

[2013/05/25 18:02:14 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG

[2013/05/25 18:02:04 | 000,000,000 | -HSD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}

[2013/05/24 21:52:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox

[2013/05/24 21:37:18 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Malwarebytes

[2013/05/24 21:36:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2013/05/24 21:36:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2013/05/24 21:36:51 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2013/05/24 21:36:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2013/05/24 21:03:58 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\AVG2013

[2013/05/24 21:02:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

[2013/05/24 21:01:34 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2013

[2013/05/24 21:01:34 | 000,000,000 | ---D | C] -- C:\$AVG

[2013/05/24 21:00:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG

[2013/05/24 20:15:59 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP

[2013/05/24 19:44:20 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Local\Programs

[2013/05/24 19:41:39 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%

[2013/05/24 19:38:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage

[2013/05/22 15:24:31 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Microsoft Games

[2013/05/19 19:28:07 | 000,000,000 | ---D | C] -- C:\Users\USER\Documents\Games

[2013/05/17 20:54:42 | 000,000,000 | ---D | C] -- C:\Users\USER\AppData\Roaming\Origin

[2013/05/17 20:52:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Origin

[2013/05/17 20:04:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts

[2013/05/14 14:55:01 | 000,000,000 | ---D | C] -- C:\ProgramData\FLEXnet

[2013/05/14 14:51:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\spool

[2013/05/13 17:26:34 | 000,000,000 | ---D | C] -- C:\ProgramData\EA Core

[2013/05/13 11:17:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft WSE

[2013/05/13 11:06:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Electronic Arts

[2013/04/28 13:26:51 | 000,000,000 | ---D | C] -- C:\Users\USER\Tracing

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/26 19:16:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\USER\Desktop\OTL.exe

[2013/05/26 19:13:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job

[2013/05/26 19:10:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2013/05/26 11:20:22 | 011,395,946 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2013/05/26 11:20:22 | 005,590,338 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2013/05/26 11:20:22 | 000,005,006 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2013/05/26 11:18:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2013/05/26 11:10:20 | 000,791,040 | ---- | M] () -- C:\Users\USER\Desktop\RogueKillerX64.exe

[2013/05/26 10:55:28 | 000,016,304 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2013/05/26 10:55:28 | 000,016,304 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2013/05/26 10:45:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2013/05/26 10:36:26 | 000,000,434 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.ics

[2013/05/26 00:54:00 | 2304,774,144 | -HS- | M] () -- C:\hiberfil.sys

[2013/05/25 22:41:19 | 000,890,854 | ---- | M] () -- C:\Users\USER\Desktop\SecurityCheck.exe

[2013/05/25 22:33:18 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2013/05/25 22:24:15 | 005,071,432 | R--- | M] (Swearware) -- C:\Users\USER\Desktop\ComboFix.exe

[2013/05/25 21:10:15 | 013,169,742 | ---- | M] () -- C:\Users\USER\Desktop\mbar-1.06.0.1003.zip

[2013/05/25 21:07:42 | 002,221,209 | ---- | M] () -- C:\Users\USER\Desktop\tdsskiller.zip

[2013/05/25 21:00:18 | 002,239,840 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\USER\Desktop\tdsskiller.exe

[2013/05/25 18:03:51 | 000,002,192 | ---- | M] () -- C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk

[2013/05/25 18:03:51 | 000,002,144 | ---- | M] () -- C:\Users\Public\Desktop\AVG PC TuneUp.lnk

[2013/05/24 21:36:55 | 000,001,076 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/05/24 21:02:56 | 000,000,932 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2013.lnk

[2013/05/23 23:10:39 | 000,002,150 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk

[2013/05/18 16:24:36 | 000,000,000 | ---- | M] () -- C:\Windows\PowerReg.dat

[2013/05/17 22:10:53 | 000,002,086 | ---- | M] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk

[2013/05/15 18:13:28 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2013/05/15 18:13:28 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[2013/05/15 13:06:43 | 005,148,880 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/05/26 11:10:19 | 000,791,040 | ---- | C] () -- C:\Users\USER\Desktop\RogueKillerX64.exe

[2013/05/25 22:41:19 | 000,890,854 | ---- | C] () -- C:\Users\USER\Desktop\SecurityCheck.exe

[2013/05/25 22:24:47 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2013/05/25 22:24:47 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2013/05/25 22:24:47 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2013/05/25 22:24:47 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2013/05/25 22:24:47 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2013/05/25 21:10:04 | 013,169,742 | ---- | C] () -- C:\Users\USER\Desktop\mbar-1.06.0.1003.zip

[2013/05/25 21:07:32 | 002,221,209 | ---- | C] () -- C:\Users\USER\Desktop\tdsskiller.zip

[2013/05/25 18:03:51 | 000,002,192 | ---- | C] () -- C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk

[2013/05/25 18:03:51 | 000,002,144 | ---- | C] () -- C:\Users\Public\Desktop\AVG PC TuneUp.lnk

[2013/05/25 18:03:45 | 000,002,156 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp.lnk

[2013/05/24 21:36:55 | 000,001,076 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2013/05/24 21:02:56 | 000,000,932 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2013.lnk

[2013/05/24 19:46:26 | 000,178,688 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll

[2013/05/18 16:24:36 | 000,000,000 | ---- | C] () -- C:\Windows\PowerReg.dat

[2013/05/17 22:10:53 | 000,002,086 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk

========== ZeroAccess Check ==========

[2009/07/14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 06:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 05:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 02:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:373E1720

< End of report >

Extras.txt

OTL Extras logfile created on: 5/26/2013 7:16:54 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\USER\Desktop

64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.86 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 41.06% Memory free

5.72 Gb Paging File | 3.29 Gb Available in Paging File | 57.49% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 149.04 Gb Total Space | 107.12 Gb Free Space | 71.87% Space Free | Partition Type: NTFS

Drive D: | 148.65 Gb Total Space | 140.68 Gb Free Space | 94.64% Space Free | Partition Type: NTFS

Computer Name: USER-TOSH | User Name: USER | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2920553064-793539459-1004061606-1000\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{06A32239-2B4E-494F-BA09-F60F0966FCCD}" = rport=2869 | protocol=6 | dir=out | app=system |

"{0824DEA4-2019-4969-B2F6-3D1F5327C1A3}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{15254A8B-5382-42F5-A027-FFD67942DC41}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |

"{26EA747C-749C-494D-815D-2A041CD928EA}" = rport=10243 | protocol=6 | dir=out | app=system |

"{3E56CC70-671D-44E1-ABB4-FEEAC4C51AE8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{49AE7F49-63B4-4C76-912B-7FB898309B07}" = lport=2869 | protocol=6 | dir=in | app=system |

"{4FD9FFF0-01A6-4528-92A1-FB693C165F2E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{5240D10E-8484-479A-A5A8-5BE8D3FE8B63}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{6E52CD03-8AF3-4F2C-AD74-7897917658B6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{6ECA53D5-5F00-42B5-84AE-0A71C5BDCD6F}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |

"{A0279630-F2DB-41E1-B10E-7A1AF78287B6}" = lport=2869 | protocol=6 | dir=in | app=system |

"{A52E33D4-38FC-4DBD-BF47-9F4709F44C34}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |

"{B20AAD03-3BBE-4D05-9CF5-B379ED068AD6}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{B2D4CA52-8D24-4EAC-A4F1-27F9393BF237}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |

"{B4693652-4976-4FB7-9C91-720EFADB92E1}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{C35A05DF-9AC8-4822-BDE1-88B6A2930D80}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{ECC34979-2962-4846-A66D-5C0C77149106}" = lport=10243 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0F4FA3C3-9422-4FDC-8055-235010679638}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{1474B72A-F28B-43AC-992D-348082AE65D8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{26876A6F-EF64-43B3-B225-047A2FD5C4B1}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{2B02F1D1-ABEE-43E7-98CD-482C75272EFB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{317FD15C-3D23-4148-9B00-483C7B0065C1}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{3D77E457-1C2D-4B3F-9EF0-5D8E7B1D283C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{72316B25-203D-4268-B584-86DF66E2BAD9}" = protocol=6 | dir=out | app=system |

"{84738785-BB4A-4978-A231-4F3677722BD0}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{875293F8-F694-4501-99F4-543E3A84FE54}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{B86517C7-F182-4599-A394-48C44602960B}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |

"{C67202D4-90F4-4DE8-9A2A-4AE826F6E612}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{D30E52CF-FF78-4E68-B641-50A501B8AD5D}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{DA6F321A-50DB-4E06-B577-BEA332CE1D7C}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{E92D6A09-9491-4D38-9799-18E53E72B7F7}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |

"{F0C9BF03-E435-4334-A230-6241805C48C3}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{F4EE3E03-3290-41C3-8EFE-3E92C74CD61E}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{F7742970-0DF3-4EFA-992F-9F611FD9C270}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{FA97E05B-158F-4A4A-BAC3-D661B6503EEB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package

"{14FCF290-82AB-421A-9034-636EF90EB9E5}" = AVG 2013

"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant

"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

"{21B133D6-5979-47F0-BE1C-F6A6B304693F}" = Visual Studio 2010 x64 Redistributables

"{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator

"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector

"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources

"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator

"{C14518AF-1A0F-4D39-8011-69BAA01CD380}" = TOSHIBA Bulletin Board

"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert

"{D43908B1-76F6-42FB-B97D-0F4694769ACF}" = Start Killer

"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter

"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client

"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service

"{F5AA006A-1ABE-4F16-B6E1-FEE1F7D38102}" = AVG 2013

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition

"4F214B105BE2C47A7C10086525680BB7DCF7DEEB" = Windows Driver Package - ATI Technologies Inc. (amdkmdap) Display (10/05/2010 8.783.0.0000)

"AVG" = AVG 2013

"E8AD071510D6DB50A4A5327191F59F7569D3BB7F" = Windows Driver Package - ATI Technologies Inc. (amdkmdap) Display (10/05/2010 8.783.0.0000)

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"WinRAR archiver" = WinRAR 4.20 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package

"{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer

"{0FF68F26-416C-4954-ACA5-6AD5F9DE99C1}" = Nero Multimedia Suite 10 Essentials

"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver

"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update

"{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10

"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions

"{2290A680-4083-410A-ADCC-7092C67FC052}" = TOSHIBA Online Product Information

"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections

"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery

"{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)

"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery

"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform

"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3

"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion

"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password

"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)

"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup

"{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)

"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application

"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility

"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components

"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update

"{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)

"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE

"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10

"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack

"{6DB8C365-E719-4BA5-9594-10DFC244D3FD}_is1" = Gyazo 1.0

"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10

"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Media Creator Reminder

"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core

"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime

"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT

"{90FF4432-21B7-4AF6-BA6E-FB8C1FED9173}" = Toshiba Manuals

"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86

"{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)

"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker

"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10

"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010

"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader

"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars

"{983CD6FE-8320-4B80-A8F6-0D0366E0AA22}" = TOSHIBA Media Controller

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9D3D8C60-A55F-4fed-B2B9-173001290E16}" = Realtek WLAN Driver

"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail

"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh

"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A98E3354-AD08-427C-A0AC-32221A3E6598}" = Active@ Partition Manager

"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common

"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer

"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer

"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station

"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0

"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR

"{B95B1BA9-F887-4B3C-8D3A-CCD4C4675120}" = Microsoft Default Manager

"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3

"{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}" = TOSHIBA Assist

"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail

"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform

"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64

"{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}" = AVG PC TuneUp

"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert

"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common

"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform

"{DBB7021A-3437-446F-ACE5-7261644A972C}" = Toshiba TEMPRO

"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources

"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh

"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10

"{E0FAA369-B0E3-48B8-9447-4873103B0012}" = TOSHIBA ConfigFree

"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10

"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime

"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}" = TOSHIBA Media Controller Plug-in

"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10

"{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM)

"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic

"{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)

"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10

"{FB03A941-815E-42F2-B604-FCE5636DB90B}" = AVG PC TuneUp Language Pack (en-US)

"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"ASIO4ALL" = ASIO4ALL

"AVG PC TuneUp" = AVG PC TuneUp

"Google Chrome" = Google Chrome

"ImgBurn" = ImgBurn

"InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package

"InstallShield_{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver

"InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}" = TOSHIBA ReelTime

"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password

"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup

"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility

"InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}" = TOSHIBA Recovery Media Creator Reminder

"InstallShield_{C14518AF-1A0F-4D39-8011-69BAA01CD380}" = TOSHIBA Bulletin Board

"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert

"InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300

"Mozilla Firefox 21.0 (x86 en-US)" = Mozilla Firefox 21.0 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2920553064-793539459-1004061606-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 5/22/2013 1:22:36 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3012

Description = The performance strings in the Performance registry value is corrupted

when process Performance extension counter provider. The BaseIndex value from the

Performance registry is the first DWORD in the Data section, LastCounter value

is the second DWORD in the Data section, and LastHelp value is the third DWORD in

the Data section.

Error - 5/22/2013 1:22:36 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3011

Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)

failed. The first DWORD in the Data section contains the error code.

Error - 5/22/2013 2:17:10 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3012

Description = The performance strings in the Performance registry value is corrupted

when process Performance extension counter provider. The BaseIndex value from the

Performance registry is the first DWORD in the Data section, LastCounter value

is the second DWORD in the Data section, and LastHelp value is the third DWORD in

the Data section.

Error - 5/22/2013 2:17:10 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3011

Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)

failed. The first DWORD in the Data section contains the error code.

Error - 5/23/2013 5:14:42 AM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3012

Description = The performance strings in the Performance registry value is corrupted

when process Performance extension counter provider. The BaseIndex value from the

Performance registry is the first DWORD in the Data section, LastCounter value

is the second DWORD in the Data section, and LastHelp value is the third DWORD in

the Data section.

Error - 5/23/2013 5:14:42 AM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3011

Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)

failed. The first DWORD in the Data section contains the error code.

Error - 5/23/2013 7:29:42 AM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3012

Description = The performance strings in the Performance registry value is corrupted

when process Performance extension counter provider. The BaseIndex value from the

Performance registry is the first DWORD in the Data section, LastCounter value

is the second DWORD in the Data section, and LastHelp value is the third DWORD in

the Data section.

Error - 5/23/2013 7:29:42 AM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3011

Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)

failed. The first DWORD in the Data section contains the error code.

Error - 5/23/2013 2:27:41 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3012

Description = The performance strings in the Performance registry value is corrupted

when process Performance extension counter provider. The BaseIndex value from the

Performance registry is the first DWORD in the Data section, LastCounter value

is the second DWORD in the Data section, and LastHelp value is the third DWORD in

the Data section.

Error - 5/23/2013 2:27:41 PM | Computer Name = USER-TOSH | Source = Microsoft-Windows-LoadPerf | ID = 3011

Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)

failed. The first DWORD in the Data section contains the error code.

[ Media Center Events ]

Error - 4/28/2013 7:19:59 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 12:19:59 - Error connecting to the internet. 12:19:59 - Unable

to contact server..

Error - 4/28/2013 7:20:08 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 12:20:04 - Error connecting to the internet. 12:20:04 - Unable

to contact server..

Error - 4/30/2013 4:36:34 PM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 21:36:34 - Error connecting to the internet. 21:36:34 - Unable

to contact server..

Error - 4/30/2013 4:36:42 PM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 21:36:39 - Error connecting to the internet. 21:36:39 - Unable

to contact server..

Error - 4/30/2013 5:41:15 PM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 22:41:15 - Error connecting to the internet. 22:41:15 - Unable

to contact server..

Error - 4/30/2013 5:41:21 PM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 22:41:20 - Error connecting to the internet. 22:41:20 - Unable

to contact server..

Error - 5/1/2013 4:09:34 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 09:09:34 - Error connecting to the internet. 09:09:34 - Unable

to contact server..

Error - 5/1/2013 4:09:41 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 09:09:40 - Error connecting to the internet. 09:09:40 - Unable

to contact server..

Error - 5/1/2013 5:09:45 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 10:09:45 - Error connecting to the internet. 10:09:45 - Unable

to contact server..

Error - 5/1/2013 5:09:51 AM | Computer Name = USER-TOSH | Source = MCUpdate | ID = 0

Description = 10:09:50 - Error connecting to the internet. 10:09:50 - Unable

to contact server..

[ System Events ]

Error - 5/20/2013 1:33:32 PM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 2:42:50 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 2:42:55 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 30013

Description =

Error - 5/21/2013 6:08:31 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 6:08:38 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 6:08:46 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 30013

Description =

Error - 5/21/2013 8:09:15 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 8:09:22 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

Error - 5/21/2013 8:09:22 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 30013

Description =

Error - 5/21/2013 10:22:39 AM | Computer Name = USER-TOSH | Source = ipnathlp | ID = 31004

Description =

< End of report >

D-FRED-BROWN · May 26, 2013

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

L5R · May 26, 2013

Hey DFB, I've ran the ESET Online Scanner but the only log i'm getting is:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

I've tried running it again but it just gives me the same log. Is there a reason for this? Thanks again!

D-FRED-BROWN · May 27, 2013

The log got truncated for some reason. try one with BitDefender instead: http://www.bitdefender.com/scanner/online/free.html

L5R · May 27, 2013

<p>Here's the Bitdefender report:</p>

<div>QuickScan 64-bit v0.9.9.118</div>

<div>Machine ID: B085552C</div>

<div>No infection found.</div>

<div>Processes</div>

<div>(verified) StartKiller Application 4192 C:\Program Files\StartKiller\StartKiller.exe</div>

<div>(verified) AVG Internet Security 5544 C:\Program Files (x86)\AVG\AVG2013\avgui.exe</div>

<div>(verified) AVG PC TuneUp 5172 C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe</div>

<div>(verified) ConfigFree 6432 C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe</div>

<div>(verified) ConfigFree 6196 C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe</div>

<div>(verified) Google Chrome 240 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 4052 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 624 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 2092 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 2732 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 6028 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) Google Chrome 236 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</div>

<div>(verified) HD Audio Background Process 4764 C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe</div>

<div>(verified) Intel® Common User Interface 4428 C:\Windows\System32\hkcmd.exe</div>

<div>(verified) Intel® Common User Interface 5464 C:\Windows\System32\igfxext.exe</div>

<div>(verified) Intel® Common User Interface 4468 C:\Windows\System32\igfxpers.exe</div>

<div>(verified) Intel® Common User Interface 5072 C:\Windows\System32\igfxsrvc.exe</div>

<div>(verified) Intel® Common User Interface 4344 C:\Windows\System32\igfxtray.exe</div>

<div>(verified) KeNotify Application 5264 C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe</div>

<div>(verified) Malwarebytes Anti-Malware 4484 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe</div>

<div>(verified) Message Center 4132 C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe</div>

<div>(verified) Microsoft® Windows® Operating System 4808 C:\Windows\explorer.exe</div>

<div>(verified) Microsoft® Windows® Operating System 4736 C:\Windows\System32\dwm.exe</div>

<div>(verified) Microsoft® Windows® Operating System 5876 C:\Windows\System32\taskeng.exe</div>

<div>(verified) Microsoft® Windows® Operating System 4308 C:\Windows\System32\taskhost.exe</div>

<div>(verified) Nero BackItUp 3444 C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe</div>

<div>(verified) Realtek HD Audio Manager 4716 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe</div>

<div>(verified) Synaptics Pointing Device Driver 4124 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</div>

<div>(verified) TOSHIBA Flash Cards 4400 C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe</div>

<div>(verified) TOSHIBA HDD SSD Alert 5576 C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe</div>

<div>(verified) Toshiba Notebook Registration 404 C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe</div>

<div>(verified) TOSHIBA Power Saver 4868 C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe</div>

<div>(verified) TOSHIBA ReelTime 4160 C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe</div>

<div>(verified) TOSHIBA Service Station 5516 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe</div>

<div>(verified) Toshiba TEMPRO 4196 C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe</div>

<div>(verified) TOSHIBA Zooming Utility 5016 C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe</div>

<div>(verified) Windows® Internet Explorer 3124 C:\Program Files\Internet Explorer\iexplore.exe</div>

<div>(verified) Windows® Internet Explorer 6276 C:\Program Files\Internet Explorer\iexplore.exe</div>

<div>(verified) Windows® Internet Explorer 6348 C:\Program Files\Internet Explorer\iexplore.exe</div>

<div>(verified) Windows® Search 5812 C:\Windows\System32\SearchProtocolHost.exe</div>

<div>Network activity</div>

<div>Process chrome.exe (4052) connected on port 443 (HTTP over SSL) --> 173.194.34.70</div>

<div>Process chrome.exe (4052) connected on port 5222 (XMPP/Jabber) --> 74.125.132.125</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 159.253.146.202</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 74.125.24.95</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 159.253.146.202</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 173.194.34.77</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 176.255.246.171</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 74.125.132.99</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 74.125.132.94</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 173.194.34.122</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 173.194.34.121</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 46.228.164.11</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 54.240.166.203</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 2.19.147.167</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 176.255.246.201</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 217.72.250.66</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 31.186.225.24</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 2.20.39.196</div>

<div>Process iexplore.exe (6276) connected on port 80 (HTTP) --> 108.162.232.4</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 74.125.24.95</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 173.194.41.106</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 74.125.138.121</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 208.43.120.24</div>

<div>Process iexplore.exe (6348) connected on port 443 (HTTP over SSL) --> 173.194.41.99</div>

<div>Process iexplore.exe (6348) connected on port 443 (HTTP over SSL) --> 173.194.34.79</div>

<div>Process iexplore.exe (6348) connected on port 443 (HTTP over SSL) --> 173.194.41.100</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 2.19.159.139</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 173.194.34.69</div>

<div>Process iexplore.exe (6348) connected on port 80 (HTTP) --> 176.255.246.184</div>

<div>Autoruns and critical files</div>

<div>(unsigned) SmartFaceVWatcher C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe</div>

<div>(verified) HWSetup C:\Program Files\TOSHIBA\Utilities\HWSetup.exe</div>

<div>(verified) StartKiller Application C:\Program Files\StartKiller\StartKiller.exe</div>

<div>(verified) Toshiba Volume Regulator C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe</div>

<div>(verified) AVG Internet Security C:\Program Files (x86)\AVG\AVG2013\avgui.exe</div>

<div>(verified) Default Manager C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe</div>

<div>(verified) HD Audio Background Process C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe</div>

<div>(verified) Intel® Common User Interface C:\Windows\System32\hkcmd.exe</div>

<div>(verified) Intel® Common User Interface C:\Windows\System32\igfxdev.dll</div>

<div>(verified) Intel® Common User Interface C:\Windows\System32\igfxpers.exe</div>

<div>(verified) Intel® Common User Interface C:\Windows\System32\igfxtray.exe</div>

<div>(verified) KeNotify Application C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe</div>

<div>(verified) Message Center C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe</div>

<div>(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe</div>

<div>(verified) Nero BackItUp C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe</div>

<div>(verified) Realtek HD Audio Manager C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe</div>

<div>(verified) SVPWUTIL Application C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe</div>

<div>(verified) Synaptics Pointing Device Driver C:\Program Files\Synaptics\SynTP\SynTPEnh.exe</div>

<div>(verified) TOSHIBA Flash Cards C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe</div>

<div>(verified) TOSHIBA HDD SSD Alert C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe</div>

<div>(verified) Toshiba Notebook Registration C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe</div>

<div>(verified) TOSHIBA Power Saver C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe</div>

<div>(verified) TOSHIBA ReelTime C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe</div>

<div>(verified) TOSHIBA Service Station C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe</div>

<div>(verified) Toshiba TEMPRO C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe</div>

<div>(verified) TOSHIBA Web Camera Application C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe</div>

<div>(verified) TOSHIBA Zooming Utility C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe</div>

<div>Browser plugins</div>

<div>(verified) Bitdefender QuickScan C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.118_0\npqscan.dll</div>

<div>(verified) Bitdefender QuickScan C:\Windows\Downloaded Program Files\qsax64.dll</div>

<div>(verified) Microsoft® CoReXT C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL</div>

<div>(verified) Microsoft® CoReXT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll</div>

<div>(verified) Microsoft® CoReXT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL</div>

<div>(verified) Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll</div>

<div>(verified) Microsoft® Windows® Operating System C:\Windows\System32\NapiNSP.dll</div>

<div>(verified) Microsoft® Windows® Operating System C:\Windows\System32\pnrpnsp.dll</div>

<div>(verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll</div>

<div>(verified) NPSWF64_11_7_700_202.dll C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll</div>

<div>(verified) Windows® Internet Explorer C:\Windows\System32\ieframe.dll</div>

<div>MD5: 4de2ee2a5186d74babc4e7f60d2ae989 C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe</div>

<div>MD5: 6be1a6d5c978f6e57fc052c8f8c57540 C:\Program Files (x86)\TOSHIBA\PCDiag\NotifyPCD.dll</div>

<div>MD5: ef4add840fb64b62c2a0e6699925a311 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\Plugins\Alerts.dll</div>

<div>MD5: 05e8652d704175d366b4b123ee26f1b8 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\Plugins\PCHealthInfo.dll</div>

<div>MD5: 58327838b09ebaed3ea86721434c0578 C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\Plugins\SwUpdates.dll</div>

<div>MD5: 220ba8df678118dd72d33b3f1bc377d0 C:\Program Files\TOSHIBA\Power Saver\T1394Pwr.dll</div>

<div>MD5: 4cf86120d5b040cfdfbfc1d3ccd947b1 C:\Program Files\TOSHIBA\Power Saver\TCooling.dll</div>

<div>MD5: a7da2525a4344f79176a0dfa517e647e C:\Program Files\TOSHIBA\Power Saver\TFunc2.dll</div>

<div>MD5: 9c4e90343294e9549fb81e52681f5008 C:\Program Files\TOSHIBA\Power Saver\TFunctab.dll</div>

<div>MD5: 2e432b04edf8135d619e42acab77de35 C:\Program Files\TOSHIBA\Power Saver\TKBLEDPwr.dll</div>

<div>MD5: df7a114d5de40cafbeb4be5a85d800bb C:\Program Files\TOSHIBA\Power Saver\TOddPwr.dll</div>

<div>MD5: e0b534b30741001cb4a5dfe7cdc4d1aa C:\Program Files\TOSHIBA\Power Saver\TPCIePwr.dll</div>

<div>MD5: e3a5bccde902cafb26b38655c96d1573 C:\Program Files\TOSHIBA\Power Saver\TPwrBrightness.dll</div>

<div>MD5: 6742b4a075a90afa3515ec117a56a649 C:\Program Files\TOSHIBA\Power Saver\TPwrFunc.dll</div>

<div>MD5: 290ff9ceee331a781a6e074d0aced403 C:\Program Files\TOSHIBA\Power Saver\TPwrReg.dll</div>

<div>MD5: c2975ff1603c3ba18249cfc8972ed5a7 C:\Program Files\TOSHIBA\Power Saver\TPwrSrv.dll</div>

<div>MD5: 3b80fe5f849b6928eaf591c44e00c610 C:\Program Files\TOSHIBA\Power Saver\TSDPwr.dll</div>

<div>MD5: 31f829385328eca5ba89cc9481548dc7 C:\Program Files\TOSHIBA\Power Saver\TtosFunc.dll</div>

<div>MD5: 78f72d892c6adad140a1c83411000936 C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe</div>

<div>MD5: 1850daaa7e7a2e543c4a299b58ac9162 C:\Program Files\WinRAR\RarExt.dll</div>

<div>MD5: cb1f277cec7e3c632d17b56e4f3143dc C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\b24b53e14b1a429b0f36a3044afb1a31\Microsoft.VisualBasic.ni.dll</div>

<div>MD5: fd7467d5d1c921c62e01b8b8c56a4c71 C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\05ae3bc162010cd25470c276297f1303\mscorlib.ni.dll</div>

<div>MD5: 09a828778a367818c7f899640d188b5c C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\3d91cdce6400743bc309a5e39212f1d5\PresentationCore.ni.dll</div>

<div>MD5: e9087cd0bbc48a35cdb98464715993ac C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Configuration\788257bab792c2704841588120cf6ad1\System.Configuration.ni.dll</div>

<div>MD5: 5ca53a68f413b011ba976b655a7903ca C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\4caf9dcd9ab56ffd9b47fa0e6ac9a704\System.Drawing.ni.dll</div>

<div>MD5: 5f8db784f4b58a4b5bb89fb9a654f5a9 C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management\370a46899f68fa613bdfd77734fd2117\System.Management.ni.dll</div>

<div>MD5: aef5591957580c4ae612d539da8eee94 C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Remo#\b2f0dceeed5c906820bdf5bbff7913e7\System.Runtime.Remoting.ni.dll</div>

<div>MD5: 5f0cfd202acc8000629ee066008cc435 C:\Windows\assembly\NativeImages_v2.0.50727_64\System.ServiceProce#\54fb82c01706e38a60d1e49121ac72f2\System.ServiceProcess.ni.dll</div>

<div>MD5: 3be143948300ba876b7edc5a93843a0b C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\2335170ef8a6a3bee4153f36e2cd2df4\System.Windows.Forms.ni.dll</div>

<div>MD5: df83ee5382851c6c33fda15c2250f39f C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml\470f2295a6009a7d0646f07a68709fe5\System.Xml.ni.dll</div>

<div>MD5: e54e4924e1fd3a0055e581fe0d831e27 C:\Windows\assembly\NativeImages_v2.0.50727_64\System\9de65bdc66e79ce80b00c85a1b4ace59\System.ni.dll</div>

<div>MD5: c8aa17d12d926f0df41f6d80b2ecc052 C:\Windows\assembly\NativeImages_v2.0.50727_64\WindowsBase\48988da6fc6a40a63f4f71912b02783c\WindowsBase.ni.dll</div>

<div>MD5: 9201be2bab8a9ff8e20d8439ae3bb04d C:\Windows\system32\themeservice.dll</div>

<div>MD5: 8bf20c54ffb37cfb960f708ffa813fa7 C:\Windows\System32\uxtheme.dll</div>

<div>MD5: 1f5afd468eb5e09e9ed75a087529eab5 C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\mfc80.dll</div>

<div>MD5: e2c48cd0132d4d1dc7d0df9a6bef686a C:\Windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\mfc80u.dll</div>

<div>MD5: 28a09777d2d952122567a8a82f1a2c7b C:\Windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_03ce2c72205943d3\mfc80ENU.dll</div>

<div>No file uploaded.</div>

<div>Scan finished - communication took 2 sec</div>

<div>Total traffic - 0.07 MB sent, 2.74 KB recvd</div>

<div>Scanned 1638 files and modules - 70 seconds</div>

D-FRED-BROWN · May 27, 2013

Your system appears to be clean.

Before we move on, please take the time to install the following updates. Program updates are an important way to keep your computer safe, as outdated applications leave you vulnerable to malware.

xjavaicon.gif.pagespeed.ic.kH_PrtIu2K.jpg Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrade Java : (64 bits)

Download the latest version of Java SE Runtime Environment (JRE) JRE 7 Update 3 .
Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.
Check the box that says: "Accept License Agreement.".
Click on the link to download Windows Offline Installation 64 bit ( jre-7u3-windows-x64.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u3-windows-x64.exe and select "Run as an Administrator.")

-----------------------

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

Download the latest version of Adobe Reader and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

L5R · May 27, 2013

I've just finished updating Java and Adobe Reader, are there any further steps required?

Thank you!

D-FRED-BROWN · May 27, 2013

Sounds good.

At this point, I'd say you're clean.

Unless there are any other issues, I will now provide you with some steps to better protect your computer.

First, however we need to remove ComboFix.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Reopen on your desktop.
Click on
You will be prompted to reboot your system. Please do so.

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.

AntiVir

AVG

Microsoft Security Essentials

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewa...nti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

L5R · May 27, 2013

Hey DFB, everything feels back to normal now so that's great! I changed browser to Mozilla Firefox. Also I've uninstalled Combofix but I was wondering if I should uninstall the other software like SecurityCheck, RogueKiller and MBAR? Or would you recommend keeping any of them? Thank you so much!

D-FRED-BROWN · May 27, 2013

It's up to you- I personally keep them handy just in case I ever need them.

L5R · May 27, 2013

I'll just keep them then, just in case. Other than that, everything seems fine now! Thank you so much for your help, I really appreciate it!

Maurice Naggar · May 27, 2013

I would recommend you delete Roguekiller.exe & mbar.exe

Roguekiller, for one, does tend to be updated often.

And one can always download the tools if needed, as needed.

Since this has been resolved, I will close this. Glad that we were able to help.

Cheers.

Infected with Win64/Patched.A on system.exe

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information