Author Topic: [Resolved] Rootkit: System & Browser Crash and Phishing Calls to Contact List  (Read 10587 times)

0 Members and 1 Guest are viewing this topic.

Offline Brewer

  • Bronze Member
  • Posts: 30
Contents of TCPView scan:

[System Process]:0   TCP   pc:52434   207.46.16.252:http   TIME_WAIT   
[System Process]:0   TCP   pc:52435   207.46.16.252:http   TIME_WAIT   
[System Process]:0   TCP   pc:52436   207.46.16.252:http   TIME_WAIT   
[System Process]:0   TCP   pc:52437   207.46.16.252:http   TIME_WAIT   
[System Process]:0   TCP   pc:52438   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52439   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52440   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52441   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52442   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52443   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52444   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52445   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52446   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52447   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52448   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52449   a72-247-218-49.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52450   64.4.30.89:http   TIME_WAIT   
[System Process]:0   TCP   pc:52451   a72-247-218-41.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52453   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52454   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52455   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52456   a72-247-218-57.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52457   a72-247-218-8.deploy.akamaitechnologies.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52463   ocsp.nyc3.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52464   199.16.83.72:http   TIME_WAIT   
[System Process]:0   TCP   pc:52465   199.16.83.72:http   TIME_WAIT   
[System Process]:0   TCP   pc:52467   199.16.83.72:http   TIME_WAIT   
[System Process]:0   TCP   pc:52468   ocsp.tko2.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52470   crl.verisign.net:http   TIME_WAIT   
[System Process]:0   TCP   pc:52471   ocsp.nyc3.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52472   ocsp.nyc3.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52474   ocsp.nyc3.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52475   ocsp.nyc3.verisign.com:http   TIME_WAIT   
[System Process]:0   TCP   pc:52476   ocsp.nyc3.verisign.com:http   TIME_WAIT   
AbacastDistributedOnDemand.exe:3576   TCP   pc:5000   pc:0   LISTENING   
AbacastDistributedOnDemand.exe:3576   TCP   pc:8320   pc:0   LISTENING   
AbacastDistributedOnDemand.exe:3576   UDP   pc:61928   *:*      
firefox.exe:4656   TCP   pc:52048   localhost:52049   ESTABLISHED   
firefox.exe:4656   TCP   pc:52049   localhost:52048   ESTABLISHED   
firefox.exe:4656   TCP   pc:52050   localhost:52051   ESTABLISHED   
firefox.exe:4656   TCP   pc:52051   localhost:52050   ESTABLISHED   
lsass.exe:664   TCP   pc:49155   pc:0   LISTENING   
lsass.exe:664   TCPV6   pc:49155   pc:0   LISTENING   
services.exe:612   TCP   pc:49157   pc:0   LISTENING   
services.exe:612   TCPV6   pc:49157   pc:0   LISTENING   
spoolsv.exe:1352   TCP   pc:49156   pc:0   LISTENING   
spoolsv.exe:1352   TCPV6   pc:49156   pc:0   LISTENING   
svchost.exe:1060   UDP   pc:ws-discovery   *:*      
svchost.exe:1060   UDP   pc:ws-discovery   *:*      
svchost.exe:1060   UDP   pc:56922   *:*      
svchost.exe:1060   UDP   pc:64155   *:*      
svchost.exe:1060   UDPV6   pc:3702   *:*      
svchost.exe:1060   UDPV6   pc:3702   *:*      
svchost.exe:1060   UDPV6   pc:56923   *:*      
svchost.exe:1060   UDPV6   pc:64156   *:*      
svchost.exe:1228   UDP   pc:llmnr   *:*      
svchost.exe:1228   UDPV6   pc:5355   *:*      
svchost.exe:1228   TCP   pc:52466   nuq04s01-in-f99.1e100.net:http   ESTABLISHED   
svchost.exe:1228   TCP   pc:52469   geotrust-crl-ilg.verisign.net:http   ESTABLISHED   
svchost.exe:3096   UDP   pc:ssdp   *:*      
svchost.exe:3096   UDP   pc:ssdp   *:*      
svchost.exe:3096   UDP   pc:ws-discovery   *:*      
svchost.exe:3096   UDP   pc:ws-discovery   *:*      
svchost.exe:3096   UDP   pc:49512   *:*      
svchost.exe:3096   UDP   pc:63205   *:*      
svchost.exe:3096   UDP   pc:63206   *:*      
svchost.exe:3096   UDPV6   [0:0:0:0:0:0:0:1]:1900   *:*      
svchost.exe:3096   UDPV6   [fe80:0:0:0:b117:a9d1:aa87:107c]:1900   *:*      
svchost.exe:3096   UDPV6   pc:3702   *:*      
svchost.exe:3096   UDPV6   pc:3702   *:*      
svchost.exe:3096   UDPV6   pc:49513   *:*      
svchost.exe:3096   UDPV6   [fe80:0:0:0:b117:a9d1:aa87:107c]:63203   *:*      
svchost.exe:3096   UDPV6   [0:0:0:0:0:0:0:1]:63204   *:*      
svchost.exe:3496   TCPV6   pc:3587   pc:0   LISTENING   
svchost.exe:3496   UDPV6   pc:3540   *:*      
svchost.exe:528   TCP   pc:49154   pc:0   LISTENING   
svchost.exe:528   UDP   pc:teredo   *:*      
svchost.exe:528   UDP   pc:52677   *:*      
svchost.exe:528   TCPV6   pc:49154   pc:0   LISTENING   
svchost.exe:896   TCP   pc:epmap   pc:0   LISTENING   
svchost.exe:896   TCPV6   pc:135   pc:0   LISTENING   
svchost.exe:972   TCP   pc:49153   pc:0   LISTENING   
svchost.exe:972   TCPV6   pc:49153   pc:0   LISTENING   
System:4   TCP   pc:netbios-ssn   pc:0   LISTENING   
System:4   TCP   pc:microsoft-ds   pc:0   LISTENING   
System:4   TCP   pc:icslap   pc:0   LISTENING   
System:4   TCP   pc:wsd   pc:0   LISTENING   
System:4   TCP   pc:10243   pc:0   LISTENING   
System:4   UDP   pc:netbios-ns   *:*      
System:4   UDP   pc:netbios-dgm   *:*      
System:4   TCPV6   pc:445   pc:0   LISTENING   
System:4   TCPV6   pc:2869   pc:0   LISTENING   
System:4   TCPV6   pc:5357   pc:0   LISTENING   
System:4   TCPV6   pc:10243   pc:0   LISTENING   
TMachInfo.exe:3736   UDP   pc:1233   *:*      
wininit.exe:560   TCP   pc:49152   pc:0   LISTENING   
wininit.exe:560   TCPV6   pc:49152   pc:0   LISTENING   
wmpnetwk.exe:4232   TCP   pc:rtsp   pc:0   LISTENING   
wmpnetwk.exe:4232   UDP   pc:5004   *:*      
wmpnetwk.exe:4232   UDP   pc:5005   *:*      
wmpnetwk.exe:4232   TCPV6   pc:554   pc:0   LISTENING   
wmpnetwk.exe:4232   UDPV6   pc:5004   *:*      
wmpnetwk.exe:4232   UDPV6   pc:5005   *:*      

//end

Offline Brewer

  • Bronze Member
  • Posts: 30
One other question for when you get back.  When I ran CCleaner, I initially checked "wipe free space", then I saw that it was projecting 12 hours to do that, so I stopped it, unchecked and ran again.  Thought you should know in case that does need to be done.

Thanks SO much for your help so far!  :)1

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

There is nothing significant in that scan.  Let me explain the entries:

1.  Everything with *.* or pc:0 or localhost is a loopback to your own system - it does not create anything that exits your system onto the Internet.

2.  207.46.16.252 is Microsoft, and 64.4.30.89 is your MS Hotmail.

3.  Akamai Technologies is a large Internet service company.  http://www.akamai.com/ for more info.

4.  Verisign is a well known web authentication company providing security certificates, now owned by Symantec.  http://www.verisign.com/  199.16.83.72 is also Verisign.

5.   nuq04s01-in-f99.1e100.net is Open DNS, which I assume you are using for DNS services.

6.  Abacast is a subscription/pay per view media distribution company, a service I also assume you use.

That's everything.  If there is anything in that log you want more details on, just ask.  I see nothing out of the ordinary or overtly suspicious.  I'd love to know what your friend was seeing, and also get more details on the phishing calls.  The logs are all negative so far, including the DDS one from some days ago.  We can try some additional diagnostics but I'm not confident they will show anything more than we have already seen.

The free space wipe by CCleaner isn't really necessary at this point.
Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
Hi PCB,

I'm glad the Tcpview scan looks ok.  Here's a follow-up on your last:

In your last msg you wrote: ..."64.4.30.89 is your MS Hotmail".  Interesting, as I have never had Hotmail or used Hotmail. 

Abacast is something I use to get a webcast.

As for what my friend was seeing, I'm just repeating what I thought I heard him say, so it's possible (likely) that I have something wrong or out of context, but I thought I heard him say he wanted to check out those port assignments in the 50000+ range.  If it looks ok now, that's good I presume. 

In place of TDSSKiller  he told me to do the process documented here:  http://www.techspot.com/vb/topic143469.html

That's the process we were doing when the crashes of the anti-malware tools and his having to leave led me to contact you (I would contact him but I don't really want to bug him right now as he dealing with a death in the family).

There are some other worrisome behaviors still happening even though two viruses have been removed (the one removed by Malwarebytes noted in the original post, and the Java .jar file virus we just removed with CCleaner).

1)  The Avira anti-virus full scan locks and stops on the the same directory as before and now at this file (they always seem to stop on this file or the ehiVidCtl.ni.dll one in the first post):

windows\assembly\NativeImages_v2.0.50727_32\ehRecObj\14f9b818674ecdf09023d532db713144\ehRecObj.ni.dll

2)  Ran MalwareBytes full scan and it stops on the same file and crashes Windows when I tried to close it.

3)  GMER still gives the error "C:\windows\system32\Config\system: The system cannot find the file specified", but ran and said "No system modifications found".

Two misc. items:  1) I did not update the Microsoft patch Tuesday updates yet.  2) Is it normal that I cannot see the "NativeImages_v2.0.50727_32" dir in explorer [logged as administrator, show hidden & system files selected])?

So this machine has still not had a successful full-system scan since Feb.  Is this malware killing these processes?   

Phishing calls:  The first one went to my brother at his work within one hour of my first system crash (when I tried to upgrade Avira to its ver. 10).  The caller left a name that was my first name and last initial.  It's the name on a Yahoo mail account that was logged on at the time of the crash.  On further inquiry with others on my contacts list, I can't tell for sure whether their their junk calls and spam are connected to this or not.

Thanks again.

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

Let's do three things.  First, upload that file to both of the following, and post the results for me:

http://virusscan.jotti.org/
http://www.virustotal.com/en/indexx.html

That should tell us if the file is OK, corrupted or forged.

Next, I want to check your hard drive.  With both those scans failing at the same place it is just possible your hard drive might have a bad spot.  Go to Start, then Run, and type:

cmd

and tap <Enter>.  A black command window will open.  Type the following at the prompt:

chkdsk /f

Note the space between the "k" and "/".  Then tap <Enter>.  There will be a warning that chkdsk cannot be run immediately, but that it can be scheduled for the next boot.  Enter Y and then reboot.  This will take some time as chkdsk will comprehensively test your hard drive using 5 tests.  It can take over an hour with a large hard drive.  Unfortunately, it does not create a log, so you will need to watch and manually record any errors.  If chkdsk finds any errors, it will attempt to fix them - and it works very well.  Report back any errors, and whether chkdsk was able to repair any errors it found.

Finally, go to Start, then Run and copy/paste the following into the Run box:

dir /a /s c:\end > %USERPROFILE%\desktop\enddir.txt

and tap <Enter>.  A new file called enddir.txt will be on your desktop.  Double click on it and it will open in Notepad.  Then copy/'paste the contents of the file to a post for me to see.
« Last Edit: June 14, 2010, 07:42:24 am by PCBruiser »
Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
PCB,

After much difficulty in even accessing the files in the NativeImages directory, I found a work around and drilled down to them with the cmd line.  I pasted both the ehRecObj.ni.dll and ehiVidCtl.ni.dll files and none of the scanners reported finding anything.

Just a note for your information:  Even with "show hidden & systems files" options selected I simply could not even see these directories at all from explorer (running as admin).  Others seem to have the same problem.  Apparently Win7 has a "super hidden" category.   I don't know the solution but the workaround is to use command line and manually, using DOS commands (that I remembered from 20 years ago!), copy them to a scratch directory and then post them.  Very tedious.  Thought you might want to be aware of this in case you come across it again.

As for chkdsk, it reported no errors.  I had to run it from the Win 7 UI (explorer, select drive, properties, right click, tools, error checking, etc).  It wouldn't run using your run command instructions.  I tried command line instead and that wouldn't go either ("access denied you do not have sufficient privileges.  You have to invoke this utility in elevated mode" ).  Hope it's still good.

I'm not sure what you want with the dir command.  I ran the command as you showed it and it says can't find the dir C:\End.  This directory was where the first virus was found and I deleted it when the virus was removed.  I created a new one, ran the command again and it just shows an empty directory in endlist.txt.   Surely you don't want a printout of the entire directory?  It's over 1 million characters. 

Standing by for clarification.

Thanks.

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

No, I wanted to make sure that folder was really gone, and now I know it is.  And, we now know that file is not forged, and that it is legitimate.  Nor is there a problem with your hard drive.  So, progress of a sort.

OK, I think we need to update MBAM, and run a Quick Scan with it again.  Then I want to see if we can get RootkitRepeal to run.  So far, we haven't found much, nor any indication why there are issues scanning your system.  Here are instructions for RootkitRepeal:

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista and Windows 7 users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report"  Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Please post the MBAM and RootkitRepeal logs for me.
Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
Updated and ran mbam quick scan.  Log posted below.  Ran mbam full system scan last night and it freezes again in the NativeImages folder.  Could the virus be hidden there, defending itself from there?

Tried running RootRepeal.exe as administrator, but it said "Not supported on 64bit systems."

p.s.  (I'm online all afternoon)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4201

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/15/2010 1:43:20 PM
mbam-log-2010-06-15 (13-43-20).txt

Scan type: Quick scan
Objects scanned: 128191
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

The problem right now is that many of our tools do not function in 64 bit systems.  Let's try an older tool that I think does run.  Please download RootkitRevealer from here: http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, if it pop-ups up system32 folder by default, save it to that location. Otherwise save the RKR log to your Desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
To answer your question, that is a possibility, and that's why I am trying to probe your system for a hidden rootkit.  Hidden malware is usually hidden by a protective rootkit which also tries to prevent finding the malware as well.  But, so far, none of our tools have given any indication that there is a rootkit hidden out.  So, I also want to try an additional diagnostic.  It is just possible that one may work, where others have failed.  Go HERE and download FileLister.
  • Save it to your Desktop
  • Rt Click ->> Extract all ->> And extract it to your Desktop
  • Additional help on extracting zip files can be found HERE
  • Open the File Lister Folder.
  • Note: Leave the FileLister.vbe file in the folder and run it from there.

  • Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
  • When the program is fnished it will produce a log for you Files.txt
  • Which will be located in the default location from which FileLister was run(the FileLister folder)
Copy and paste the contents of that log in your reply.

Please post the following:

a. the RootkitRevealer log
b. the Filelister log

Hopefully between the two, we may get a hint of what is happening.  If we can find it, we can almost always kill it.

Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
Rootkitrevealer.exe doesn't run.  Looks like it's 32-bit as well.  Should I go ahead and run FileLister anyway?

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Please.  rootkitrevealer should run in 64 bit systems.  That's some evidence that there may indeed be a protective rootkit hiding out on your system.
Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
Here is the FileList Files.txt log.  There is a hidden.txt log as well if you need that.


+++++++++++++++++++++++++++
+ File Lister  Version 1.1.4                       +
+                                                                  +
+ By bamajim / SpywareHammer.com +
+++++++++++++++++++++++++++

Report ran on --->>>  6/16/2010 2:46:09 PM

====== Running Processes ======

C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\Windows\System32\igfxtray.exe
C:\windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\MC\AppData\Local\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\windows\System32\WScript.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

====== BHO's ======
BHO: (NO NAME) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

BHO: (NO NAME) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg64.dll

====== System Keys  (some whitelisted items will not be shown)======

Winlogon\Userinit = C:\Windows\system32\userinit.exe,
Winlogon\Shell = explorer.exe

====== HKLM\~\Run Keys ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[IgfxTray] = C:\windows\system32\igfxtray.exe
[HotKeysCmds] = C:\windows\system32\hkcmd.exe
[Persistence] = C:\windows\system32\igfxpers.exe
[RtHDVCpl] = C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
[SynTPEnh] = %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
[ThpSrv] = C:\windows\system32\thpsrv /logon
[TPwrMain] = %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
[HSON] = %ProgramFiles%\TOSHIBA\TBS\HSON.exe
[SmoothView] = %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
[00TCrdMain] = %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
[Teco] = "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
[TosWaitSrv] = %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
[SmartFaceVWatcher] = %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
[TosSENotify] = C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
[itype] = "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
[IntelliPoint] = "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

====== HKCU\~\Run Keys ======

[MyTOSHIBA] = "C:\Program Files (x86)\TOSHIBA\My Toshiba\MyToshiba.exe" /AUTO
[swg] = "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[AbacastDistributedOnDemand:11] = C:\Users\MC\AppData\Local\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe -r:11 -x:1
[HijackThis startup scan] = C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe /startupscan

====== DNS Info (List may be empty) ======


ICSDomain = mshome.net
SyncDomainWithMembership = 1
NV Hostname = pc
DataBasePath = %SystemRoot%\System32\drivers\etc
ForwardBroadcasts = 0
IPEnableRouter = 0
Hostname = pc
UseDomainNameDevolution = 1
EnableICMPRedirect = 1
DeadGWDetectDefault = 1
DontAddDefaultGatewayDefault = 0
EnableWsd = 1
QualifyingDestinationThreshold = 3

====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

6/4/2010 5:01:15 PM    6/13/2010 7:27:57 AM    896    32    C:\Windows\setupact.log
6/13/2010 7:27:57 AM    0    32    C:\Windows\setuperr.log
5/13/2010 9:49:41 AM    976896    32    C:\Windows\System32\inetcomm.dll
4/30/2010 11:29:33 AM    1446912    32    C:\Windows\System32\lsasrv.dll
4/30/2010 11:29:34 AM    14163456    32    C:\Windows\System32\shell32.dll
5/28/2010 9:13:39 AM    2048    32    C:\Windows\System32\tzres.dll

====== "\Administrator & All Users\Startup" Last 60 Days======




====== "\Program Files" Last 60 Days======


======"Drivers" Modified Last 60 Days======

4/16/2010 9:24:34 PM    27536    32    C:\Windows\System32\drivers\dc3d.sys
6/4/2010 3:57:37 PM    24664    32    C:\Windows\System32\drivers\mbam.sys
4/26/2010 5:23:08 PM    1103904    32    C:\Windows\System32\drivers\rtl8192se.sys

====== Files Deleted under "%Temp%" ======

3 Files deleted

======"All Users\Application Data" Last 60 Days======



====== HKLM\~\ShellServiceObjectDelayLoad======

WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -


====== HKLM\~\SharedTaskScheduler======

======HKLM\~\msconfig\startupreg======

HKLM\Software\microsoft\shared tools\msconfig\startupreg\

====== Services ( Services that are Whitelisted are not shown) ======

1394ohci (1394 OHCI Compliant Host Controller)- C:\windows\system32\DRIVERS\1394ohci.sys - Manual/Stopped
AcpiPmi (ACPI Power Meter Driver)- C:\windows\system32\DRIVERS\acpipmi.sys - Manual/Stopped
adp94xx (adp94xx)- C:\windows\system32\DRIVERS\adp94xx.sys - Manual/Stopped
adpahci (adpahci)- C:\windows\system32\DRIVERS\adpahci.sys - Manual/Stopped
amdide (amdide)- C:\windows\system32\DRIVERS\amdide.sys - Manual/Stopped
amdsata (amdsata)- C:\windows\system32\DRIVERS\amdsata.sys - Manual/Stopped
amdsbs (amdsbs)- C:\windows\system32\DRIVERS\amdsbs.sys - Manual/Stopped
amdxata (amdxata)- C:\windows\system32\DRIVERS\amdxata.sys - Boot/Running
AppID (AppID Driver)- C:\windows\system32\drivers\appid.sys - Manual/Stopped
arcsas (arcsas)- C:\windows\system32\DRIVERS\arcsas.sys - Manual/Stopped
athr (Atheros Extensible Wireless LAN device driver)- C:\windows\system32\DRIVERS\athrx.sys - Manual/Stopped
avipbb (avipbb)- C:\windows\system32\DRIVERS\avipbb.sys - System/Running
b06bdrv (Broadcom NetXtreme II VBD)- C:\windows\system32\DRIVERS\bxvbda.sys - Manual/Stopped
b57nd60a (Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0)- C:\windows\system32\DRIVERS\b57nd60a.sys - Manual/Stopped
blbdrive (blbdrive)- C:\windows\system32\DRIVERS\blbdrive.sys - System/Running
bowser (Browser Support Driver)- C:\windows\system32\DRIVERS\bowser.sys - Manual/Running
BrFiltLo (Brother USB Mass-Storage Lower Filter Driver)- C:\windows\system32\DRIVERS\BrFiltLo.sys - Manual/Stopped
BrFiltUp (Brother USB Mass-Storage Upper Filter Driver)- C:\windows\system32\DRIVERS\BrFiltUp.sys - Manual/Stopped
Brserid (Brother MFC Serial Port Interface Driver (WDM))- C:\windows\system32\Drivers\Brserid.sys - Manual/Stopped
BrSerWdm (Brother WDM Serial driver)- C:\windows\system32\Drivers\BrSerWdm.sys - Manual/Stopped
BrUsbMdm (Brother MFC USB Fax Only Modem)- C:\windows\system32\Drivers\BrUsbMdm.sys - Manual/Stopped
BrUsbSer (Brother MFC USB Serial WDM Driver)- C:\windows\system32\Drivers\BrUsbSer.sys - Manual/Stopped
BthEnum (Bluetooth Request Block Driver)- C:\windows\system32\DRIVERS\BthEnum.sys - Manual/Stopped
BthPan (Bluetooth Device (Personal Area Network))- C:\windows\system32\DRIVERS\bthpan.sys - Manual/Stopped
BTHPORT (Bluetooth Port Driver)- C:\windows\system32\Drivers\BTHport.sys - Manual/Stopped
BTHUSB (Bluetooth Radio USB Driver)- C:\windows\system32\Drivers\BTHUSB.sys - Manual/Stopped
circlass (Consumer IR Devices)- C:\windows\system32\DRIVERS\circlass.sys - Manual/Stopped
CLFS (Common Log (CLFS))- C:\windows\system32\CLFS.sys - Boot/Running
CNG (CNG)- C:\windows\system32\Drivers\cng.sys - Boot/Running
CompositeBus (Composite Bus Enumerator Driver)- C:\windows\system32\DRIVERS\CompositeBus.sys - Manual/Running
dc3d (MS Hardware Device Detection Driver (USB))- C:\windows\system32\DRIVERS\dc3d.sys - Manual/Running
DfsC (DFS Namespace Client Driver)- C:\windows\system32\Drivers\dfsc.sys - System/Running
discache (System Attribute Cache)- C:\windows\system32\drivers\discache.sys - System/Running
DXGKrnl (LDDM Graphics Subsystem)- C:\windows\system32\drivers\dxgkrnl.sys - Manual/Running
ebdrv (Broadcom NetXtreme II 10 GigE VBD)- C:\windows\system32\DRIVERS\evbda.sys - Manual/Stopped
elxstor (elxstor)- C:\windows\system32\DRIVERS\elxstor.sys - Manual/Stopped
ErrDev (Microsoft Hardware Error Device Driver)- C:\windows\system32\DRIVERS\errdev.sys - Manual/Stopped
FileInfo (File Information FS MiniFilter)- C:\windows\system32\drivers\fileinfo.sys - Boot/Running
Filetrace (Filetrace)- C:\windows\system32\drivers\filetrace.sys - Manual/Stopped
FsDepends (File System Dependency Minifilter)- C:\windows\system32\drivers\FsDepends.sys - Manual/Stopped
fvevol (Bitlocker Drive Encryption Filter Driver)- C:\windows\system32\DRIVERS\fvevol.sys - Boot/Running
FwLnk (FwLnk Driver)- C:\windows\system32\DRIVERS\FwLnk.sys - Manual/Running
gagp30kx (Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms)- C:\windows\system32\DRIVERS\gagp30kx.sys - Manual/Stopped
hcw85cir (Hauppauge Consumer Infrared Receiver)- C:\windows\system32\drivers\hcw85cir.sys - Manual/Stopped
HidBth (Microsoft Bluetooth HID Miniport)- C:\windows\system32\DRIVERS\hidbth.sys - Manual/Stopped
HidIr (Microsoft Infrared HID Driver)- C:\windows\system32\DRIVERS\hidir.sys - Manual/Stopped
HpSAMD (HpSAMD)- C:\windows\system32\DRIVERS\HpSAMD.sys - Manual/Stopped
hwpolicy (Hardware Policy Driver)- C:\windows\system32\drivers\hwpolicy.sys - Boot/Running
iaStor (Intel AHCI Controller)- C:\windows\system32\DRIVERS\iaStor.sys - Boot/Running
iaStorV (iaStorV)- C:\windows\system32\DRIVERS\iaStorV.sys - Manual/Stopped
igfx (igfx)- C:\windows\system32\DRIVERS\igdkmd64.sys - Manual/Running
IntcHdmiAddService (Intel(R) High Definition Audio HDMI)- C:\windows\system32\drivers\IntcHdmi.sys - Manual/Running
IPMIDRV (IPMIDRV)- C:\windows\system32\DRIVERS\IPMIDrv.sys - Manual/Stopped
iScsiPrt (iScsiPort Driver)- C:\windows\system32\DRIVERS\msiscsi.sys - Manual/Stopped
KSecPkg (KSecPkg)- C:\windows\system32\Drivers\ksecpkg.sys - Boot/Running
lltdio (Link-Layer Topology Discovery Mapper I/O Driver)- C:\windows\system32\DRIVERS\lltdio.sys - Auto/Running
LSI_FC (LSI_FC)- C:\windows\system32\DRIVERS\lsi_fc.sys - Manual/Stopped
LSI_SAS (LSI_SAS)- C:\windows\system32\DRIVERS\lsi_sas.sys - Manual/Stopped
LSI_SAS2 (LSI_SAS2)- C:\windows\system32\DRIVERS\lsi_sas2.sys - Manual/Stopped
LSI_SCSI (LSI_SCSI)- C:\windows\system32\DRIVERS\lsi_scsi.sys - Manual/Stopped
luafv (UAC File Virtualization)- C:\windows\system32\drivers\luafv.sys - Auto/Running
megasas (megasas)- C:\windows\system32\DRIVERS\megasas.sys - Manual/Stopped
MegaSR (MegaSR)- C:\windows\system32\DRIVERS\MegaSR.sys - Manual/Stopped
mpio (mpio)- C:\windows\system32\DRIVERS\mpio.sys - Manual/Stopped
mpsdrv (Windows Firewall Authorization Driver)- C:\windows\system32\drivers\mpsdrv.sys - Manual/Running
MREMP50 (MREMP50 NDIS Protocol Driver)- \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS - Manual/Stopped
MRESP50 (MRESP50 NDIS Protocol Driver)- \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS - Manual/Stopped
mrxsmb10 (SMB 1.x MiniRedirector)- C:\windows\system32\DRIVERS\mrxsmb10.sys - Manual/Running
mrxsmb20 (SMB 2.0 MiniRedirector)- C:\windows\system32\DRIVERS\mrxsmb20.sys - Manual/Running
msahci (msahci)- C:\windows\system32\DRIVERS\msahci.sys - Boot/Running
msdsm (msdsm)- C:\windows\system32\DRIVERS\msdsm.sys - Manual/Stopped
mshidkmdf (Pass-through HID to KMDF Filter Driver)- C:\windows\system32\drivers\mshidkmdf.sys - Manual/Stopped
msisadrv (msisadrv)- C:\windows\system32\DRIVERS\msisadrv.sys - Boot/Running
MsRPC (MsRPC)- C:\windows\system32\drivers\MsRPC.sys - Manual/Stopped
MTConfig (Microsoft Input Configuration Driver)- C:\windows\system32\DRIVERS\MTConfig.sys - Manual/Stopped
NativeWifiP (NativeWiFi Filter)- C:\windows\system32\DRIVERS\nwifi.sys - Manual/Running
NdisCap (NDIS Capture LightWeight Filter)- C:\windows\system32\DRIVERS\ndiscap.sys - Manual/Stopped
nfrd960 (nfrd960)- C:\windows\system32\DRIVERS\nfrd960.sys - Manual/Stopped
nsiproxy (NSI proxy service driver.)- C:\windows\system32\drivers\nsiproxy.sys - System/Running
nvstor (nvstor)- C:\windows\system32\DRIVERS\nvstor.sys - Manual/Stopped
pcw (Performance Counters for Windows Driver)- C:\windows\system32\drivers\pcw.sys - Boot/Running
PEAUTH (PEAUTH)- C:\windows\system32\drivers\peauth.sys - Auto/Running
PGEffect (Pangu effect driver)- C:\windows\system32\DRIVERS\pgeffect.sys - Manual/Running
Point64 (Microsoft IntelliPoint Filter Driver)- C:\windows\system32\DRIVERS\point64k.sys - Manual/Running
ql2300 (ql2300)- C:\windows\system32\DRIVERS\ql2300.sys - Manual/Stopped
ql40xx (ql40xx)- C:\windows\system32\DRIVERS\ql40xx.sys - Manual/Stopped
QWAVEdrv (QWAVE driver)- C:\windows\system32\drivers\qwavedrv.sys - Manual/Stopped
RasAgileVpn (WAN Miniport (IKEv2))- C:\windows\system32\DRIVERS\AgileVpn.sys - Manual/Running
rdpbus (Remote Desktop Device Redirector Bus Driver)- C:\windows\system32\DRIVERS\rdpbus.sys - Manual/Stopped
RDPENCDD (RDP Encoder Mirror Driver)- C:\windows\system32\drivers\rdpencdd.sys - System/Running
RDPREFMP (Reflector Display Driver used to gain access to graphics data)- C:\windows\system32\drivers\rdprefmp.sys - System/Running
rdyboost (ReadyBoost)- C:\windows\system32\drivers\rdyboost.sys - Boot/Running
RFCOMM (Bluetooth Device (RFCOMM Protocol TDI))- C:\windows\system32\DRIVERS\rfcomm.sys - Manual/Stopped
rimspci (rimspci)- C:\windows\system32\DRIVERS\rimspe64.sys - Auto/Running
risdpcie (risdpcie)- C:\windows\system32\DRIVERS\risdpe64.sys - Auto/Running
rixdpcie (rixdpcie)- C:\windows\system32\DRIVERS\rixdpe64.sys - Auto/Running
rspndr (Link-Layer Topology Discovery Responder)- C:\windows\system32\DRIVERS\rspndr.sys - Auto/Running
RTL8167 (Realtek 8167 NT Driver)- C:\windows\system32\DRIVERS\Rt64win7.sys - Manual/Running
rtl8192se (Realtek Wireless LAN 802.11n PCI-E NIC NT Driver)- C:\windows\system32\DRIVERS\rtl8192se.sys - Manual/Stopped
sbp2port (sbp2port)- C:\windows\system32\DRIVERS\sbp2port.sys - Manual/Stopped
scfilter (Smart card PnP Class Filter Driver)- C:\windows\system32\DRIVERS\scfilter.sys - Manual/Stopped
sdbus (sdbus)- C:\windows\system32\DRIVERS\sdbus.sys - Manual/Stopped
sermouse (Serial Mouse Driver)- C:\windows\system32\DRIVERS\sermouse.sys - Manual/Stopped
sffdisk (SFF Storage Class Driver)- C:\windows\system32\DRIVERS\sffdisk.sys - Manual/Stopped
sffp_mmc (SFF Storage Protocol Driver for MMC)- C:\windows\system32\DRIVERS\sffp_mmc.sys - Manual/Stopped
sffp_sd (SFF Storage Protocol Driver for SDBus)- C:\windows\system32\DRIVERS\sffp_sd.sys - Manual/Stopped
SiSRaid2 (SiSRaid2)- C:\windows\system32\DRIVERS\SiSRaid2.sys - Manual/Stopped
SiSRaid4 (SiSRaid4)- C:\windows\system32\DRIVERS\sisraid4.sys - Manual/Stopped
spldr (Security Processor Loader Driver)- C:\windows\system32\drivers\spldr.sys - Boot/Running
srv2 (Server SMB 2.xxx Driver)- C:\windows\system32\DRIVERS\srv2.sys - Manual/Running
srvnet (srvnet)- C:\windows\system32\DRIVERS\srvnet.sys - Manual/Running
stexstor (stexstor)- C:\windows\system32\DRIVERS\stexstor.sys - Manual/Stopped
SynTP (Synaptics TouchPad Driver)- C:\windows\system32\DRIVERS\SynTP.sys - Manual/Running
TCPIP6 (Microsoft IPv6 Protocol Driver)- C:\windows\system32\DRIVERS\tcpip.sys - Manual/Stopped
tcpipreg (TCP/IP Registry Compatibility)- C:\windows\system32\drivers\tcpipreg.sys - Auto/Running
tdcmdpst (TOSHIBA Writing Engine Filter Driver)- C:\windows\system32\DRIVERS\tdcmdpst.sys - Manual/Running
tdx (NetIO Legacy TDI Support Driver)- C:\windows\system32\DRIVERS\tdx.sys - System/Running
Thpdrv (TOSHIBA HDD Protection Driver)- C:\windows\system32\DRIVERS\thpdrv.sys - Boot/Running
Thpevm (TOSHIBA HDD Protection - Shock Sensor Driver)- C:\windows\system32\DRIVERS\Thpevm.SYS - Boot/Running
tos_sps64 (TOSHIBA tos_sps64 Service)- C:\windows\system32\DRIVERS\tos_sps64.sys - Boot/Running
tssecsrv (Remote Desktop Services Security Filter Driver)- C:\windows\system32\DRIVERS\tssecsrv.sys - Manual/Stopped
tunnel (Microsoft Tunnel Miniport Adapter Driver)- C:\windows\system32\DRIVERS\tunnel.sys - Manual/Running
TVALZ (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver)- C:\windows\system32\DRIVERS\TVALZ_O.SYS - Boot/Running
TVALZFL (TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver)- C:\windows\system32\DRIVERS\TVALZFL.sys - Auto/Running
uagp35 (Microsoft AGPv3.5 Filter)- C:\windows\system32\DRIVERS\uagp35.sys - Manual/Stopped
uliagpkx (Uli AGP Bus Filter)- C:\windows\system32\DRIVERS\uliagpkx.sys - Manual/Stopped
umbus (UMBus Enumerator Driver)- C:\windows\system32\DRIVERS\umbus.sys - Manual/Running
UmPass (Microsoft UMPass Driver)- C:\windows\system32\DRIVERS\umpass.sys - Manual/Stopped
usbcir (eHome Infrared Receiver (USBCIR))- C:\windows\system32\DRIVERS\usbcir.sys - Manual/Stopped
usbvideo (USB Video Device (WDM))- C:\windows\system32\Drivers\usbvideo.sys - Manual/Running
vdrvroot (Microsoft Virtual Drive Enumerator Driver)- C:\windows\system32\DRIVERS\vdrvroot.sys - Boot/Running
vhdmp (vhdmp)- C:\windows\system32\DRIVERS\vhdmp.sys - Manual/Stopped
volmgr (Volume Manager Driver)- C:\windows\system32\DRIVERS\volmgr.sys - Boot/Running
volmgrx (Dynamic Volume Manager)- C:\windows\system32\drivers\volmgrx.sys - Boot/Running
vsmraid (vsmraid)- C:\windows\system32\DRIVERS\vsmraid.sys - Manual/Stopped
vwifibus (Virtual WiFi Bus Driver)- C:\windows\system32\DRIVERS\vwifibus.sys - Manual/Stopped
vwififlt (Virtual WiFi Filter Driver)- C:\windows\system32\DRIVERS\vwififlt.sys - System/Running
WacomPen (Wacom Serial Pen HID Driver)- C:\windows\system32\DRIVERS\wacompen.sys - Manual/Stopped
Wanarpv6 (Remote Access IPv6 ARP Driver)- C:\windows\system32\DRIVERS\wanarp.sys - System/Running
Wdf01000 (Kernel Mode Driver Frameworks service)- C:\windows\system32\drivers\Wdf01000.sys - Boot/Running
WfpLwf (WFP Lightweight Filter)- C:\windows\system32\DRIVERS\wfplwf.sys - System/Running
WIMMount (WIMMount)- C:\windows\system32\drivers\wimmount.sys - Manual/Stopped
WinUsb (WinUsb)- C:\windows\system32\DRIVERS\WinUsb.sys - Manual/Stopped
WmiAcpi (Microsoft Windows Management Interface for ACPI)- C:\windows\system32\DRIVERS\wmiacpi.sys - Manual/Stopped

====== Uninstall List ======

A file named 'UNI.txt' was created and saved to
FileListers default location. Post the results if requested.

======== Other Info ========

TOTAL PHYSICAL RAM: 4157 MB

Boot Info

OS Type:  Microsoft Windows 7 Home Premium
Build:  6.1.7600
Service Pack:  0.0

====== Files with Hidden Attributes======

A file named 'Hidden.txt' was created and saved to
FileListers default location. Post the results if requested.

==End of Report==

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

Yes, please post both Hidden.txt and UNI.txt for me as well. 
Don't Read?  Can't learn!

Offline Brewer

  • Bronze Member
  • Posts: 30
UNI.txt here, Hidden.txt following:

UNI.txt:

Intel(R) Graphics Media Accelerator Driver
Intel(R) Graphics Media Accelerator Driver
Synaptics Pointing Device Driver
Microsoft Visual C++ 2005 Redistributable (x64)
Dolby Control Center
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
TOSHIBA Disc Creator
Microsoft Office Office 64-bit Components 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Intel® Matrix Storage Manager
TOSHIBA HDD Protection
TOSHIBA PC Health Monitor
TOSHIBA eco Utility
TOSHIBA Recovery Media Creator
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
PlayReady PC Runtime amd64
TOSHIBA HDD/SSD Alert
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
TOSHIBA Face Recognition


C:\hiberfil.sys
C:\pagefile.sys
C:\$Recycle.Bin\S-1-5-21-999556370-2978387837-2420002582-1000\desktop.ini
C:\Boot\BOOTSTAT.DAT
C:\Program Files\desktop.ini
C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini
C:\Program Files\Microsoft Games\Chess\desktop.ini
C:\Program Files\Microsoft Games\FreeCell\desktop.ini
C:\Program Files\Microsoft Games\Hearts\desktop.ini
C:\Program Files\Microsoft Games\Mahjong\desktop.ini
C:\Program Files\Microsoft Games\Purble Place\desktop.ini
C:\Program Files\Microsoft Games\Solitaire\desktop.ini
C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files (x86)\desktop.ini
C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini
C:\Program Files (x86)\Windows Mail\WinMail.exe
C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.2\Desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Toshiba\ConfigFree\desktop.ini
C:\Users\desktop.ini
C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\OpenOffice.org 3.2\Desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Toshiba\ConfigFree\desktop.ini
C:\Users\Default\NTUSER.DAT
C:\Users\Default\AppData\Local\Microsoft\Windows\History\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\Default\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8WURZQ7I\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNYIGL0M\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W7NEIUNA\desktop.ini
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WB644ZFQ\desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
C:\Users\MC\ntuser.dat
C:\Users\MC\ntuser.ini
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\index.dat
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\7RHDN964\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\L2LNMW3M\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\MTDH28TY\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Feeds Cache\ZDKSW41W\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\History\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010060720100614\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010061420100615\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010061520100616\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010061620100617\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\Low\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\History\Low\History.IE5\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4EHV439N\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\64BQAZF3\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KH0QZMOZ\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y0X23FLZ\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\32CIFPQD\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3MG62B45\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4FWIRKRK\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XZJGLVB1\desktop.ini
C:\Users\MC\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini
C:\Users\MC\AppData\Local\Microsoft Games\FreeCell\desktop.ini
C:\Users\MC\AppData\Local\Microsoft Games\Minesweeper\desktop.ini
C:\Users\MC\AppData\Local\Microsoft Games\Purble Place\desktop.ini
C:\Users\MC\AppData\Local\Temp\Cookies\index.dat
C:\Users\MC\AppData\Local\Temp\History\History.IE5\index.dat
C:\Users\MC\AppData\Local\Temp\History\History.IE5\desktop.ini
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\0V36VSUP\desktop.ini
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\I44X9GGN\desktop.ini
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\RWUDLP1W\desktop.ini
C:\Users\MC\AppData\Local\Temp\Temporary Internet Files\Content.IE5\SG0O5TME\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7e4dca80246863e3\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9d91276b0be3e46b\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Cookies\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\IETldCache\Low\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\index.dat
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
C:\Users\MC\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Users\MC\Contacts\desktop.ini
C:\Users\MC\Desktop\desktop.ini
C:\Users\MC\Documents\desktop.ini
C:\Users\MC\Documents\Fax\Drafts\desktop.ini
C:\Users\MC\Documents\Fax\Inbox\desktop.ini
C:\Users\MC\Documents\Maritime\Folkboat Racing\hpothb07.dat
C:\Users\MC\Documents\Maritime\Folkboat Racing\Folkboat Trim Tips\Trim Tips_files\Picasa.ini
C:\Users\MC\Documents\Meteorology\High Wind & Wave Events Along NorCalCoast Summer_files\Picasa.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\maxdesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\CD Covers\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Cooking\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Cooking\Daisy Cooks Recipes\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Credit Reports\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Health Reference\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Navigator's Notebook\MaxDesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Receipts & Confirmations\maxdesk.ini
C:\Users\MC\Documents\PaperPort Documents from old computer\Sailing\MaxDesk.ini
C:\Users\MC\Documents\Scanned Documents\desktop.ini
C:\Users\MC\Downloads\desktop.ini
C:\Users\MC\Favorites\desktop.ini
C:\Users\MC\Favorites\Links\desktop.ini
C:\Users\MC\Links\desktop.ini
C:\Users\MC\Music\desktop.ini
C:\Users\MC\Music\Books on Tape\desktop.ini
C:\Users\MC\Music\Books on Tape\Esther and Jerry Hicks\desktop.ini
C:\Users\MC\Music\Books on Tape\Esther and Jerry Hicks\The Astonishing Power of Emotions Disc 8\desktop.ini
C:\Users\MC\Music\Books on Tape\Guided Imagery\desktop.ini
C:\Users\MC\Music\Coleman Hawkins- Body & Soul\desktop.ini
C:\Users\MC\Music\Django Reinhardt\desktop.ini
C:\Users\MC\Music\Django Reinhardt\The Complete Django Reinhardt & Quintet of the Hot Club of France Swing-HMV Sessions Disc 3\desktop.ini
C:\Users\MC\Pictures\desktop.ini
C:\Users\MC\Saved Games\desktop.ini
C:\Users\MC\Saved Games\Microsoft Games\desktop.ini
C:\Users\MC\Searches\desktop.ini
C:\Users\MC\Videos\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\Public\Documents\desktop.ini
C:\Users\Public\Downloads\desktop.ini
C:\Users\Public\Libraries\desktop.ini
C:\Users\Public\Music\desktop.ini
C:\Users\Public\Music\Music\desktop.ini
C:\Users\Public\Music\Sample Music\desktop.ini
C:\Users\Public\Pictures\desktop.ini
C:\Users\Public\Pictures\Sample Pictures\desktop.ini
C:\Users\Public\Recorded TV\TempRec\ehscanned.dat
C:\Users\Public\Videos\desktop.ini
C:\Users\Public\Videos\Sample Videos\desktop.ini
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\pubpol33.dat
C:\Windows\assembly\Desktop.ini
C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb2.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb3.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc4.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc7.dat
C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc8.dat
C:\Windows\Downloaded Program Files\desktop.ini
C:\Windows\Fonts\StaticCache.dat
C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini
C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini
C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini
C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini
C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini
C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini
C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini

//end

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7988
Hi,

The Filelister logs are completely clean.  I need to go back and review everything in your logs.  I probably won't have the time until tomorrow.  If I still don't see anything, I am going to ask one of my colleagues to review this log and see if they can offer additional suggestions, or see if they can spot anything I might have missed.
Don't Read?  Can't learn!