Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem: rootkit.win32.agent.bert

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problem: rootkit.win32.agent.bert

Unread postby TMo » April 21st, 2010, 8:06 pm

I have been unable to eliminate rootkit.win32.agent.bert which keep popping up as a problem on my computer. My CPU remains at 100% usuage most of the time and I haven't been able to identify the problem. I know it happened at the end of last month. I believe March 28th. Below are the HijackThis.log and uninstall_list.txt contents. Thank you for your help. - TMo.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:04 PM, on 4/21/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Agregar al componente Anti-Banners - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

--
End of file - 6461 bytes


Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Compatibility Pack for the 2007 Office system
ERUNT 1.1j
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java(TM) 6 Update 14
Junk Mail filter update
Kaspersky Internet Security 2010
Kaspersky Internet Security 2010
Label@Once 1.0
LimeWire 5.3.6
Malwarebytes' Anti-Malware
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSVCRT
MyToshiba
NetZero Launcher
Norton Internet Security
OGA Notifier 2.0.0048.0
PlayReady PC Runtime x86
Pocket RAR documentation
Quickbooks Financial Center
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skype Launcher
Skype web features
Skype™ 4.1
StreamTorrent 1.0
Synaptics Pointing Device Driver
Toshiba Application and Driver Installer
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA HDD/SSD Alert
Toshiba Online Backup
Toshiba Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA Service Station
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
ToshibaRegistration
TVAnts 1.0
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Veetle TV 0.9.16
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WildTangent Games
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm
Advertisement
Register to Remove

Re: Problem: rootkit.win32.agent.bert

Unread postby MWR 3 day Mod » April 24th, 2010, 11:33 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 26th, 2010, 12:51 pm

Hi TMo,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

multiple Anti Virus programs

  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
    Kaspersky Internet Security 2010
    Norton Internet Security
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

  • Please remove one of them.

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    StreamTorrent 1.0
    LimeWire 5.3.6


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 26th, 2010, 3:24 pm

Hello deltalima and thank you for your time and assistance.

To my knowledge, I do not have multiple Anti-virus programs. I removed Norton quite a while ago when my subscription expired and I obtained Kaspersky. Nevertheless, I went to Control Panels>Program>Uninstall and Norton DOES NOT show up. I am not sure why it shows on the log I sent to you. Would you know why? I did search for Norton files and 2 folders show up with internet shortcuts to Symantec Security Center and 1 folder in Program Files with sub-folders titled Branding, Engine and MUI. That is all. Please let me know what I should do. Would you like me to delete these files and folders?

As a side note: when I started having issues with my computer I tried to uninstall Kaspersky and I have been unable to do so.

I have removed the following P2P Programs: StreamTorrent 1.0 and LimeWire 5.3.6, as instructed.

I await further instructions,

TMo
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 26th, 2010, 3:46 pm

Hi TMo,

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

I removed Norton quite a while ago when my subscription expired


This is a common problem where Norton does not completely uninstall. A special tool has been created to resolve this issue.

Norton Removal Tool

Please go to the Norton Removal Tool main page Here
  • Under Choose your product: click on the I have Norton >> << link.
  • Please Download and run the Norton Removal Tool then Reboot your computer.

I tried to uninstall Kaspersky and I have been unable to do so


That is fine, we need one working antivirus at all times.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Right click on OTL.exe and select Run as Administrator.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and selecti Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 26th, 2010, 5:52 pm

I ran the Norton Removal Tool and Rebooted my computer.

I downloaded and ran OTL as well as GMER. Here are the following files:

1) OTL.txt

OTL logfile created on: 4/26/2010 4:12:48 PM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Tirso Moscoso\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 223.27 Gb Total Space | 193.26 Gb Free Space | 86.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TIRSOMOSCOSO-PC
Current User Name: Tirso Moscoso
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Tirso Moscoso\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe (TOSHIBA CORPORATION)
PRC - C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - c:\Program Files\Windows Defender\MpCmdRun.exe (Microsoft Corporation)
PRC - C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)


========== Modules (SafeList) ==========

MOD - C:\Users\Tirso Moscoso\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Akamai) -- C:/Program Files/Common Files/Akamai/rswin_3653.dll ()
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (TMachInfo) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe (TOSHIBA Corporation)
SRV - (cfWiMAXService) -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe (TOSHIBA CORPORATION)
SRV - (TosCoSrv) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe (TOSHIBA Corporation)
SRV - (TOSHIBA HDD SSD Alert Service) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe (TOSHIBA Corporation)
SRV - (TODDSrv) -- C:\Windows\System32\TODDSrv.exe (TOSHIBA Corporation)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (AVP) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
SRV - (GameConsoleService) -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (ConfigFree Service) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)


========== Driver Services (SafeList) ==========

DRV - (KLIF) -- C:\Windows\System32\drivers\klif.sys (Kaspersky Lab)
DRV - (kl1) -- C:\Windows\System32\drivers\kl1.sys (Kaspersky Lab)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (RTL8187B) -- C:\Windows\System32\drivers\RTL8187B.sys (Realtek Semiconductor Corporation )
DRV - (tdcmdpst) -- C:\Windows\System32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (tos_sps32) -- C:\windows\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics Incorporated)
DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (TVALZ) -- C:\windows\system32\DRIVERS\TVALZ_O.SYS (TOSHIBA Corporation)
DRV - (cmdide) -- C:\windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (KSecPkg) -- C:\windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (LSI_SCSI) -- C:\windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\windows\system32\DRIVERS\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (HidBatt) -- C:\windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (LPCFilter) -- C:\windows\system32\DRIVERS\LPCFilter.sys (COMPAL ELECTRONIC INC.)
DRV - (iaStor) -- C:\windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTL8167) -- C:\Windows\System32\drivers\Rt86win7.sys (Realtek )
DRV - (klmouflt) -- C:\Windows\System32\drivers\klmouflt.sys (Kaspersky Lab)
DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=TSNA


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A8 BA E7 0C 0B FE DA 49 BD 78 A6 9E CE 73 FB 60 [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A8 BA E7 0C 0B FE DA 49 BD 78 A6 9E CE 73 FB 60 [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A8 BA E7 0C 0B FE DA 49 BD 78 A6 9E CE 73 FB 60 [binary data]

IE - HKU\S-1-5-21-350632221-682335273-3265395669-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKU\S-1-5-21-350632221-682335273-3265395669-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKU\S-1-5-21-350632221-682335273-3265395669-1002\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A8 BA E7 0C 0B FE DA 49 BD 78 A6 9E CE 73 FB 60 [binary data]
IE - HKU\S-1-5-21-350632221-682335273-3265395669-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\THBExt [2010/04/09 17:56:34 | 000,000,000 | ---D | M]

[2009/12/16 10:15:18 | 000,000,000 | ---D | M] -- C:\Users\Tirso Moscoso\AppData\Roaming\Mozilla\Extensions
[2009/12/16 10:15:18 | 000,000,000 | ---D | M] -- C:\Users\Tirso Moscoso\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll (Kaspersky Lab)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-350632221-682335273-3265395669-1002\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe (Kaspersky Lab)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O8 - Extra context menu item: Agregar al componente Anti-Banners - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 190.157.2.140 200.118.2.91 200.118.2.66
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\windows\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/26 15:31:35 | 000,854,064 | ---- | C] (Symantec Corporation) -- C:\Users\Tirso Moscoso\Desktop\Norton_Removal_Tool.exe
[2010/04/26 15:17:34 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Users\Tirso Moscoso\Desktop\OTL.exe
[2010/04/22 18:22:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2010/04/21 17:36:26 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/21 17:26:23 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Tirso Moscoso\Desktop\HJTInstall.exe
[2010/04/14 09:44:18 | 003,899,280 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntoskrnl.exe
[2010/04/14 09:44:17 | 003,954,568 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ntkrnlpa.exe
[2010/04/14 09:44:03 | 000,427,520 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\vbscript.dll
[2010/04/13 08:43:34 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Roaming\Malwarebytes
[2010/04/13 08:43:20 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/04/13 08:43:16 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/04/13 08:43:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/13 08:43:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/13 08:40:27 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2010/04/13 08:39:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/13 08:21:11 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Tirso Moscoso\Desktop\TFC.exe
[2010/04/09 20:28:38 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Local\CrashDumps
[2010/04/09 17:56:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/04/09 17:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2010/04/09 17:55:54 | 000,280,592 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\klif.sys
[2010/04/09 17:52:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2010/04/09 17:15:45 | 000,000,000 | ---D | C] -- C:\Archivos de programa
[2010/04/09 07:09:56 | 000,000,000 | -HSD | C] -- C:\windows\System32\%APPDATA%
[2010/04/07 18:40:46 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Local\Tific
[2010/04/07 18:40:38 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Roaming\Tific
[2010/04/05 18:29:03 | 000,000,000 | ---D | C] -- C:\windows\System32\DRVSTORE
[2010/04/05 18:29:00 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\windows\System32\drivers\SBREDrv.sys
[2010/04/05 18:23:04 | 000,000,000 | ---D | C] -- C:\windows\Sun
[2010/04/05 16:35:41 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/04/03 17:46:24 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Roaming\BitDefender
[2010/04/03 17:45:47 | 000,000,000 | ---D | C] -- C:\ProgramData\BitDefender
[2010/04/03 17:45:47 | 000,000,000 | ---D | C] -- C:\Program Files\BitDefender
[2010/04/03 17:02:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\BitDefender
[2010/04/03 16:16:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Panda Security
[2010/04/02 09:07:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2010/04/02 09:07:53 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/03/31 16:56:50 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Local\ElevatedDiagnostics
[2010/03/31 15:04:33 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mstime.dll
[2010/03/31 15:04:33 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iedkcs32.dll
[2010/03/31 15:04:32 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeedsbs.dll
[2010/03/29 07:17:02 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/03/29 07:16:57 | 000,000,000 | ---D | C] -- C:\ProgramData\avg9
[2010/03/28 16:19:55 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Local\Symantec
[2010/03/28 16:13:30 | 000,000,000 | ---D | C] -- C:\windows\Minidump
[2010/03/28 10:55:07 | 000,000,000 | ---D | C] -- C:\Users\Tirso Moscoso\AppData\Roaming\iWin
[1 C:\Users\Tirso Moscoso\Documents\*.tmp files -> C:\Users\Tirso Moscoso\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/26 16:23:48 | 000,823,808 | ---- | M] () -- C:\windows\System32\drivers\lrfhbp.sys
[2010/04/26 16:22:09 | 004,718,592 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat
[2010/04/26 16:08:58 | 000,000,882 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/26 16:06:13 | 000,615,360 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/04/26 16:06:12 | 000,713,888 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/04/26 16:06:12 | 000,103,702 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/04/26 16:04:23 | 000,016,304 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/26 16:04:23 | 000,016,304 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/26 16:00:43 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At114.job
[2010/04/26 15:56:28 | 000,000,434 | ---- | M] () -- C:\windows\tasks\At1.job
[2010/04/26 15:56:28 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/04/26 15:56:24 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/04/26 15:56:19 | 1504,354,304 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/26 15:55:36 | 001,893,581 | -H-- | M] () -- C:\Users\Tirso Moscoso\AppData\Local\IconCache.db
[2010/04/26 15:34:09 | 000,000,886 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/26 15:31:39 | 000,854,064 | ---- | M] (Symantec Corporation) -- C:\Users\Tirso Moscoso\Desktop\Norton_Removal_Tool.exe
[2010/04/26 15:17:38 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Tirso Moscoso\Desktop\OTL.exe
[2010/04/26 15:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At113.job
[2010/04/26 14:00:20 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At112.job
[2010/04/26 13:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At111.job
[2010/04/26 12:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At110.job
[2010/04/26 11:11:01 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At109.job
[2010/04/26 10:00:01 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At108.job
[2010/04/26 09:00:05 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At107.job
[2010/04/26 08:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At106.job
[2010/04/26 07:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At105.job
[2010/04/26 06:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At104.job
[2010/04/26 05:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At103.job
[2010/04/26 04:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At102.job
[2010/04/26 03:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At101.job
[2010/04/26 02:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At100.job
[2010/04/26 01:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At99.job
[2010/04/26 00:02:26 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At98.job
[2010/04/25 23:00:04 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At121.job
[2010/04/25 22:00:57 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At120.job
[2010/04/25 21:00:15 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At119.job
[2010/04/25 20:27:06 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At118.job
[2010/04/25 19:02:38 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At117.job
[2010/04/24 17:23:41 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At116.job
[2010/04/24 16:00:00 | 000,000,380 | ---- | M] () -- C:\windows\tasks\At115.job
[2010/04/23 18:27:01 | 000,007,607 | ---- | M] () -- C:\Users\Tirso Moscoso\AppData\Local\Resmon.ResmonCfg
[2010/04/21 17:36:26 | 000,002,050 | ---- | M] () -- C:\Users\Tirso Moscoso\Desktop\HijackThis.lnk
[2010/04/21 17:26:36 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Tirso Moscoso\Desktop\HJTInstall.exe
[2010/04/21 15:55:16 | 260,722,619 | ---- | M] () -- C:\windows\MEMORY.DMP
[2010/04/21 15:41:48 | 000,525,824 | ---- | M] () -- C:\Users\Tirso Moscoso\Desktop\dds.scr
[2010/04/21 15:39:39 | 000,000,000 | ---- | M] () -- C:\Users\Tirso Moscoso\defogger_reenable
[2010/04/16 15:08:39 | 000,011,760 | ---- | M] () -- C:\Users\Tirso Moscoso\Documents\AHA_Medical_claim_form.pdf
[2010/04/15 18:51:42 | 000,017,434 | ---- | M] () -- C:\Users\Tirso Moscoso\Documents\Budget TM.xlsx
[2010/04/13 08:43:23 | 000,000,990 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/13 08:39:35 | 000,000,905 | ---- | M] () -- C:\Users\Tirso Moscoso\Desktop\NTREGOPT.lnk
[2010/04/13 08:39:35 | 000,000,886 | ---- | M] () -- C:\Users\Tirso Moscoso\Desktop\ERUNT.lnk
[2010/04/13 08:21:12 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Tirso Moscoso\Desktop\TFC.exe
[2010/04/13 08:19:30 | 000,029,259 | ---- | M] () -- C:\Users\Tirso Moscoso\Documents\Camila Research Paper.docx
[2010/04/09 18:38:49 | 000,604,140 | -HS- | M] () -- C:\windows\System32\drivers\ISwift3.dat
[2010/04/09 18:27:56 | 000,280,592 | ---- | M] (Kaspersky Lab) -- C:\windows\System32\drivers\klif.sys
[2010/04/09 18:27:56 | 000,128,016 | ---- | M] (Kaspersky Lab) -- C:\windows\System32\drivers\kl1.sys
[2010/04/09 18:27:46 | 000,108,059 | ---- | M] () -- C:\windows\System32\drivers\klin.dat
[2010/04/09 18:27:46 | 000,095,259 | ---- | M] () -- C:\windows\System32\drivers\klick.dat
[2010/04/09 16:46:23 | 000,000,052 | ---- | M] () -- C:\windows\System32\ashttpstats.csv
[2010/04/09 16:44:54 | 000,000,012 | ---- | M] () -- C:\windows\System32\drivers\NIS\1100000.088\Cat.DB
[2010/04/09 11:01:58 | 000,072,200 | ---- | M] (BitDefender LLC) -- C:\windows\System32\drivers\BdfNdisf6.sys
[2010/04/08 14:31:26 | 000,015,601 | ---- | M] () -- C:\Users\Tirso Moscoso\Documents\PTS Letter 2.docx
[2010/04/07 16:50:34 | 000,013,913 | ---- | M] () -- C:\Users\Tirso Moscoso\Documents\PTS Letter.docx
[2010/04/05 18:28:59 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\windows\System32\drivers\SBREDrv.sys
[2010/04/05 17:22:54 | 000,000,025 | ---- | M] () -- C:\Users\Tirso Moscoso\AppData\Roaming\bdfvconp.ini
[2010/04/05 07:54:57 | 000,000,056 | -H-- | M] () -- C:\windows\System32\ezsidmv.dat
[2010/04/03 18:42:25 | 000,000,016 | ---- | M] () -- C:\windows\System32\asdict.dat
[2010/04/03 18:42:25 | 000,000,004 | ---- | M] () -- C:\windows\System32\aspdict-en.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\wsbl.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\phar_unmip.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\phar_histprot.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_white.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_summ.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_spoof.sig
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_sign.slf
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_fuzzy.sig
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\ph_black.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pcwords2.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pcwords.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_webproxy.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_video.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_tabloids.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_socialnetworks.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_sign.slf
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_searchengines.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_regionaltlds.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_pornography.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_onlineshop.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_onlinepay.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_onlinedating.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_news.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_im.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_illegal.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_hate.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_games.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_gambling.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | M] () -- C:\windows\System32\pc_drugs.dat
[2010/04/03 18:09:37 | 000,000,000 | ---- | M] () -- C:\windows\System32\ab_sbl.sig
[2010/04/03 18:09:37 | 000,000,000 | ---- | M] () -- C:\windows\System32\ab_bl.sig
[2010/04/03 17:51:45 | 000,000,385 | ---- | M] () -- C:\windows\System32\user_gensett.xml
[2010/04/03 17:49:30 | 000,524,288 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TMContainer00000000000000000002.regtrans-ms
[2010/04/03 17:49:30 | 000,524,288 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TMContainer00000000000000000001.regtrans-ms
[2010/04/03 17:49:30 | 000,065,536 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TM.blf
[2010/03/31 10:24:27 | 000,524,288 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TMContainer00000000000000000002.regtrans-ms
[2010/03/31 10:24:27 | 000,524,288 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TMContainer00000000000000000001.regtrans-ms
[2010/03/31 10:24:27 | 000,065,536 | -HS- | M] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TM.blf
[2010/03/29 23:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/03/29 23:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/03/28 14:54:56 | 000,000,300 | ---- | M] () -- C:\windows\System32\stsf.bat
[1 C:\Users\Tirso Moscoso\Documents\*.tmp files -> C:\Users\Tirso Moscoso\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/21 17:36:26 | 000,002,050 | ---- | C] () -- C:\Users\Tirso Moscoso\Desktop\HijackThis.lnk
[2010/04/21 15:49:51 | 000,293,376 | ---- | C] () -- C:\Users\Tirso Moscoso\Desktop\gmer.exe
[2010/04/21 15:41:41 | 000,525,824 | ---- | C] () -- C:\Users\Tirso Moscoso\Desktop\dds.scr
[2010/04/21 15:39:39 | 000,000,000 | ---- | C] () -- C:\Users\Tirso Moscoso\defogger_reenable
[2010/04/16 15:08:39 | 000,011,760 | ---- | C] () -- C:\Users\Tirso Moscoso\Documents\AHA_Medical_claim_form.pdf
[2010/04/13 08:43:23 | 000,000,990 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/13 08:39:35 | 000,000,905 | ---- | C] () -- C:\Users\Tirso Moscoso\Desktop\NTREGOPT.lnk
[2010/04/13 08:39:35 | 000,000,886 | ---- | C] () -- C:\Users\Tirso Moscoso\Desktop\ERUNT.lnk
[2010/04/13 08:19:28 | 000,029,259 | ---- | C] () -- C:\Users\Tirso Moscoso\Documents\Camila Research Paper.docx
[2010/04/09 18:38:49 | 000,604,140 | -HS- | C] () -- C:\windows\System32\drivers\ISwift3.dat
[2010/04/09 17:57:03 | 000,108,059 | ---- | C] () -- C:\windows\System32\drivers\klin.dat
[2010/04/09 17:57:03 | 000,095,259 | ---- | C] () -- C:\windows\System32\drivers\klick.dat
[2010/04/08 08:04:10 | 000,015,601 | ---- | C] () -- C:\Users\Tirso Moscoso\Documents\PTS Letter 2.docx
[2010/04/07 16:16:53 | 000,013,913 | ---- | C] () -- C:\Users\Tirso Moscoso\Documents\PTS Letter.docx
[2010/04/05 17:22:54 | 000,000,025 | ---- | C] () -- C:\Users\Tirso Moscoso\AppData\Roaming\bdfvconp.ini
[2010/04/05 07:54:57 | 000,000,056 | -H-- | C] () -- C:\windows\System32\ezsidmv.dat
[2010/04/03 19:08:57 | 000,000,052 | ---- | C] () -- C:\windows\System32\ashttpstats.csv
[2010/04/03 18:42:25 | 000,000,016 | ---- | C] () -- C:\windows\System32\asdict.dat
[2010/04/03 18:42:25 | 000,000,004 | ---- | C] () -- C:\windows\System32\aspdict-en.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\wsbl.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\phar_unmip.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\phar_histprot.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_white.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_summ.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_spoof.sig
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_sign.slf
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_fuzzy.sig
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\ph_black.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pcwords2.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pcwords.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_webproxy.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_video.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_tabloids.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_socialnetworks.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_sign.slf
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_searchengines.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_regionaltlds.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_pornography.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_onlineshop.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_onlinepay.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_onlinedating.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_news.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_im.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_illegal.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_hate.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_games.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_gambling.dat
[2010/04/03 18:09:38 | 000,000,000 | ---- | C] () -- C:\windows\System32\pc_drugs.dat
[2010/04/03 18:09:37 | 000,000,000 | ---- | C] () -- C:\windows\System32\ab_sbl.sig
[2010/04/03 18:09:37 | 000,000,000 | ---- | C] () -- C:\windows\System32\ab_bl.sig
[2010/04/03 17:51:45 | 000,000,385 | ---- | C] () -- C:\windows\System32\user_gensett.xml
[2010/04/03 16:34:40 | 000,524,288 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TMContainer00000000000000000002.regtrans-ms
[2010/04/03 16:34:40 | 000,524,288 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TMContainer00000000000000000001.regtrans-ms
[2010/04/03 16:34:40 | 000,065,536 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{9cad5cb8-3f68-11df-bc8a-002622421711}.TM.blf
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At121.job
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At120.job
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At119.job
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At118.job
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At117.job
[2010/03/31 10:26:02 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At116.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At115.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At114.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At113.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At112.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At111.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At110.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At109.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At108.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At107.job
[2010/03/31 10:26:01 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At106.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At99.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At98.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At105.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At104.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At103.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At102.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At101.job
[2010/03/31 10:25:59 | 000,000,380 | ---- | C] () -- C:\windows\tasks\At100.job
[2010/03/31 10:24:26 | 000,524,288 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TMContainer00000000000000000002.regtrans-ms
[2010/03/31 10:24:26 | 000,524,288 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TMContainer00000000000000000001.regtrans-ms
[2010/03/31 10:24:26 | 000,065,536 | -HS- | C] () -- C:\Users\Tirso Moscoso\ntuser.dat{19270df3-3cd3-11df-b81a-002622421711}.TM.blf
[2010/03/28 18:10:13 | 000,005,230 | ---- | C] () -- C:\Users\Tirso Moscoso\AppData\Local\AA9AECA3-77DF-48D3-BEE5-20092059270D.txt
[2010/03/28 16:26:14 | 000,823,808 | ---- | C] () -- C:\windows\System32\drivers\lrfhbp.sys
[2010/03/28 16:20:52 | 000,000,434 | ---- | C] () -- C:\windows\tasks\At1.job
[2010/03/28 16:13:18 | 260,722,619 | ---- | C] () -- C:\windows\MEMORY.DMP
[2010/03/28 14:54:53 | 000,000,300 | ---- | C] () -- C:\windows\System32\stsf.bat
[2009/11/07 18:06:24 | 000,000,013 | RHS- | C] () -- C:\windows\System32\drivers\fbd.sys
[2009/10/20 08:55:17 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
[2009/10/20 08:36:25 | 000,045,056 | ---- | C] () -- C:\windows\System32\HWS_Ctrl.dll
[2009/10/20 08:34:36 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
[2009/04/28 06:37:00 | 000,028,672 | ---- | C] () -- C:\windows\System32\SPCtl.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 164 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 156 bytes -> C:\ProgramData\TEMP:DFC5A2B2
< End of report >


2) Extras.txt

OTL Extras logfile created on: 4/26/2010 4:12:48 PM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Tirso Moscoso\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 223.27 Gb Total Space | 193.26 Gb Free Space | 86.56% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TIRSOMOSCOSO-PC
Current User Name: Tirso Moscoso
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MIF5BA~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}" = MyToshiba
"{0D795777-9D60-4692-8386-F2B3F2B5E5BF}" = Label@Once 1.0
"{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}" = Adobe Flash Player 10 Plugin
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3B843B38-04B1-4CE6-8888-586273E0F289}" = Quickbooks Financial Center
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = ToshibaRegistration
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = Toshiba Application and Driver Installer
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9AEAF9CC-390B-49C0-8F7F-14092BF163B6}" = NetZero Launcher
"{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Toshiba Online Backup
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DA84ECBF-4B79-47F2-B34C-95C38484C058}" = Skype Launcher
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E69992ED-A7F6-406C-9280-1C156417BC49}" = Toshiba Quality Application
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3529665-D75E-4D6D-98F0-745C78C68E9B}" = TOSHIBA ConfigFree
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Akamai" = Akamai NetSession Interface
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
"InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"InstallWIX_{9D8B0949-7C47-476F-9F06-F900D3B078EA}" = Kaspersky Internet Security 2010
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"PocketRAR" = Pocket RAR documentation
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TVAnts 1.0" = TVAnts 1.0
"Veetle TV" = Veetle TV 0.9.16
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-350632221-682335273-3265395669-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/10/2010 8:01:25 AM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0xe18 Faulting application start time: 0x01cad8a44779750e Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: c94caa68-4498-11df-838a-002622421711

Error - 4/11/2010 10:16:44 AM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0x4a8 Faulting application start time: 0x01cad97ec134e3be Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: dad13e66-4574-11df-be1e-002622421711

Error - 4/12/2010 7:58:31 AM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0x13d0 Faulting application start time: 0x01cada35bdc7d7aa Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: b625c781-462a-11df-8554-002622421711

Error - 4/12/2010 8:18:21 AM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: pctsSvc.exe, version: 6.0.0.22, time stamp:
0x48ed60ec Faulting module name: KERNELBASE.dll, version: 6.1.7600.16385, time stamp:
0x4a5bdaae Exception code: 0x0eedfade Fault offset: 0x00009617 Faulting process id:
0x28c Faulting application start time: 0x01cada39f4734c3d Faulting application path:
C:\Program Files\Spyware Doctor\pctsSvc.exe Faulting module path: C:\windows\system32\KERNELBASE.dll
Report
Id: 7b46963f-462d-11df-bf84-002622421711

Error - 4/12/2010 8:36:33 AM | Computer Name = TirsoMoscoso-PC | Source = Windows Search Service | ID = 3100
Description =

Error - 4/12/2010 9:11:39 AM | Computer Name = TirsoMoscoso-PC | Source = Windows Search Service | ID = 3100
Description =

Error - 4/12/2010 2:09:05 PM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0x1760 Faulting application start time: 0x01cada614e416cbc Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: 7aab7dc9-465e-11df-beaf-002622421711

Error - 4/12/2010 4:42:39 PM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001cc0f7 Faulting
process id: 0xa04 Faulting application start time: 0x01cada458ec2805f Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: eea2cc17-4673-11df-beaf-002622421711

Error - 4/12/2010 5:28:51 PM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0x8b4 Faulting application start time: 0x01cada86f6b777c1 Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: 62ddfb71-467a-11df-83ae-002622421711

Error - 4/12/2010 5:28:51 PM | Computer Name = TirsoMoscoso-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: mshtml.dll, version: 8.0.7600.16535,
time stamp: 0x4b83889f Exception code: 0xc0000005 Fault offset: 0x001bb1cf Faulting
process id: 0x574 Faulting application start time: 0x01cada86fbd01898 Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\System32\mshtml.dll
Report
Id: 6345bdfa-467a-11df-83ae-002622421711

[ Media Center Events ]
Error - 12/4/2009 8:55:58 AM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 7:55:56 AM - Failed to retrieve Broadband (Error: The operation has
timed out)

Error - 12/6/2009 10:13:22 AM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 9:13:19 AM - Failed to retrieve SportsV2 (Error: The operation has
timed out)

Error - 12/6/2009 10:15:05 AM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 9:15:02 AM - Failed to retrieve Broadband (Error: The operation has
timed out)

Error - 1/15/2010 11:34:50 PM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 10:34:50 PM - Error connecting to the internet. 10:34:50 PM - Unable
to contact server..

Error - 1/15/2010 11:34:59 PM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 10:34:55 PM - Error connecting to the internet. 10:34:55 PM - Unable
to contact server..

Error - 1/16/2010 1:22:18 PM | Computer Name = TirsoMoscoso-PC | Source = MCUpdate | ID = 0
Description = 12:22:17 PM - Error connecting to the internet. 12:22:17 PM - Unable
to contact server..

[ System Events ]
Error - 4/21/2010 6:35:54 PM | Computer Name = TirsoMoscoso-PC | Source = DCOM | ID = 10001
Description =

Error - 4/22/2010 12:21:28 PM | Computer Name = TirsoMoscoso-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 12:20:23 PM on ?4/?22/?2010 was unexpected.

Error - 4/22/2010 12:21:35 PM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7023
Description = The Microsoft Composite Battery Helper service terminated with the
following error: %%126

Error - 4/22/2010 12:21:36 PM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7024
Description = The Norton Internet Security service terminated with service-specific
error %%-1.

Error - 4/22/2010 12:22:47 PM | Computer Name = TirsoMoscoso-PC | Source = DCOM | ID = 10001
Description =

Error - 4/22/2010 3:39:47 PM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 4/22/2010 7:23:05 PM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7030
Description = The Akamai NetSession Interface service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.

Error - 4/23/2010 7:14:22 AM | Computer Name = TirsoMoscoso-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 10:19:06 PM on ?4/?22/?2010 was unexpected.

Error - 4/23/2010 7:14:27 AM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7023
Description = The Microsoft Composite Battery Helper service terminated with the
following error: %%126

Error - 4/23/2010 7:14:28 AM | Computer Name = TirsoMoscoso-PC | Source = Service Control Manager | ID = 7024
Description = The Norton Internet Security service terminated with service-specific
error %%-1.


< End of report >


3) gmer.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-26 16:47:09
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\TIRSOM~1\AppData\Local\Temp\uxryipow.sys

---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C223F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0A634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C221DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C226F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C231A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C82599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\lrfhbp.sys A device attached to the system is not functioning. !
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x833BA000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x833FF000, 0x3DC, 0x48000040]
.text peauth.sys 98044C9D 28 Bytes [D5, B3, 43, 98, 70, E2, 61, ...]
.text peauth.sys 98044CC1 28 Bytes [D5, B3, 43, 98, 70, E2, 61, ...]
---- User code sections - GMER 1.0.15 ----
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1624] C:\windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1624] C:\windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1624] USER32.dll!NotifyWinEvent + 48F 76D3F728 4 Bytes [70, 11, 32, 6D]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1696] C:\windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1696] C:\windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1696] USER32.dll!NotifyWinEvent + 48F 76D3F728 4 Bytes [70, 11, 32, 6D]
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86B3C0C0
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\lrfhbp@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\lrfhbp@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\lrfhbp@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\lrfhbp@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\lrfhbp@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\lrfhbp@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\lrfhbp@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\lrfhbp@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 1
---- EOF - GMER 1.0.15 ----
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 27th, 2010, 3:24 am

Hi TMo,

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Right click combofix.exe and select Run As Administrator then follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 27th, 2010, 1:53 pm

Hello deltalima, sorry for the slight delay. I had some issues running Combofix initially. Here is the log report:

ComboFix 10-04-26.05 - Tirso Moscoso 04/27/2010 12:26:06.2.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1305 [GMT -5:00]
Running from: c:\users\Tirso Moscoso\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-350632221-682335273-3265395669-500
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\%appdata%
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe

.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-27 17:33 . 2010-04-27 17:35 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\temp
2010-04-27 17:33 . 2010-04-27 17:33 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-27 17:33 . 2010-04-27 17:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-27 17:24 . 2010-04-27 17:24 -------- d-----w- C:\32788R22FWJFW
2010-04-27 14:47 . 2010-04-27 17:24 -------- d-----w- C:\ComboFix
2010-04-27 03:16 . 2010-04-27 03:16 -------- d-----w- C:\f1dafa2fc7b85c5041e2
2010-04-22 23:22 . 2010-04-27 17:35 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-21 22:36 . 2010-04-21 22:36 -------- d-----w- c:\program files\Trend Micro
2010-04-18 13:44 . 2010-04-18 13:44 -------- d-----w- c:\users\Guest\AppData\Local\CrashDumps
2010-04-14 14:44 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 14:44 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 14:44 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 14:44 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 14:44 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 14:44 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 11:26 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:26 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Malwarebytes
2010-04-13 13:43 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\programdata\Malwarebytes
2010-04-13 13:43 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 13:39 . 2010-04-13 13:39 -------- d-----w- c:\program files\ERUNT
2010-04-10 01:28 . 2010-04-24 14:51 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\CrashDumps
2010-04-09 23:38 . 2010-04-09 23:38 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-04-09 23:31 . 2010-04-09 23:31 932368 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-04-09 23:31 . 2010-04-09 23:31 678416 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-04-09 23:31 . 2010-04-09 23:31 604688 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-04-09 23:31 . 2010-04-09 23:31 1096208 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-04-09 23:31 . 2010-04-09 23:31 522768 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-04-09 23:27 . 2010-04-09 23:27 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-04-09 23:27 . 2010-04-09 23:27 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-04-09 22:52 . 2010-04-09 22:52 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-04-09 22:15 . 2010-04-09 22:15 -------- d-----w- C:\Archivos de programa
2010-04-09 12:30 . 2010-04-09 12:30 -------- d-----w- c:\users\Guest\AppData\Roaming\BitDefender
2010-04-07 23:40 . 2010-04-07 23:40 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\Tific
2010-04-07 23:40 . 2010-04-07 23:40 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Tific
2010-04-05 23:29 . 2010-04-16 14:56 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-05 23:29 . 2010-04-05 23:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-05 23:23 . 2010-04-05 23:23 -------- d-----w- c:\windows\Sun
2010-04-05 12:54 . 2010-04-05 12:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-03 23:42 . 2010-04-03 23:42 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-03 23:42 . 2010-04-03 23:42 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-03 22:46 . 2010-04-03 22:46 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\BitDefender
2010-04-03 22:45 . 2010-04-09 21:48 -------- d-----w- c:\programdata\BitDefender
2010-04-03 22:45 . 2010-04-09 21:48 -------- d-----w- c:\program files\BitDefender
2010-04-03 22:02 . 2010-04-09 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-03 21:16 . 2010-04-03 21:16 -------- d-----w- c:\program files\Common Files\Panda Security
2010-04-02 14:07 . 2010-04-16 14:57 -------- d-----w- c:\program files\Lavasoft
2010-04-02 14:07 . 2010-04-16 14:57 -------- d-----w- c:\programdata\Lavasoft
2010-04-02 02:34 . 2010-04-02 02:34 -------- d-----w- c:\users\Guest\AppData\Local\Diagnostics
2010-03-31 21:56 . 2010-04-04 21:55 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\ElevatedDiagnostics
2010-03-31 21:03 . 2010-03-31 21:14 -------- d-----w- c:\users\Guest\AppData\Local\Adobe
2010-03-31 20:04 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-29 12:17 . 2010-03-29 12:17 -------- d-----w- c:\program files\AVG
2010-03-29 12:16 . 2010-04-09 21:44 -------- d-----w- c:\programdata\avg9
2010-03-28 21:19 . 2010-03-28 21:19 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\Symantec
2010-03-28 19:54 . 2010-03-28 19:54 300 ----a-w- c:\windows\system32\stsf.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 16:45 . 2010-04-09 22:56 -------- d-----w- c:\programdata\Kaspersky Lab
2010-04-26 20:51 . 2009-09-03 08:22 -------- d-----w- c:\programdata\Norton
2010-04-26 19:19 . 2009-12-16 15:14 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\LimeWire
2010-04-15 11:12 . 2009-10-20 13:12 -------- d-----w- c:\programdata\Microsoft Help
2010-04-09 23:27 . 2010-04-09 23:27 280592 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\6.0\klif.sys
2010-04-09 23:27 . 2010-04-09 23:27 264720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-04-09 23:27 . 2010-04-09 23:27 128016 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-04-09 23:27 . 2009-05-24 19:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-04-09 23:27 . 2010-04-09 22:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 23:27 . 2010-04-09 22:57 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 23:27 . 2010-04-09 23:27 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-04-09 23:27 . 2010-04-09 23:27 59920 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-04-09 23:27 . 2010-04-09 23:27 264720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-04-09 23:27 . 2010-04-09 23:27 280592 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\6.0\klif.sys
2010-04-09 23:27 . 2010-04-09 23:27 128016 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-04-09 22:56 . 2010-04-09 22:56 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-09 22:24 . 2009-09-03 08:22 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 16:01 . 2009-10-19 20:04 72200 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-04-07 21:59 . 2009-09-03 08:22 -------- d-----w- c:\programdata\NortonInstaller
2010-04-05 20:07 . 2009-11-10 15:39 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\skypePM
2010-04-05 13:21 . 2009-11-10 15:37 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Skype
2010-03-29 01:50 . 2009-09-03 08:24 -------- d-----w- c:\programdata\WildTangent
2010-03-28 15:55 . 2010-03-28 15:55 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\iWin
2010-03-24 15:33 . 2010-03-24 15:33 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-03-24 15:33 . 2009-09-03 08:24 -------- d-----w- c:\program files\TOSHIBA Games
2010-03-23 18:14 . 2010-03-23 18:14 -------- d-----w- c:\users\Guest\AppData\Roaming\TOSHIBA
2010-03-19 15:14 . 2009-09-03 08:27 -------- d-----w- c:\program files\Google
2010-03-19 13:00 . 2010-03-19 13:00 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb94D1.tmp.exe
2010-03-16 20:01 . 2010-03-16 20:01 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-03-13 00:40 . 2010-03-13 00:40 -------- d-----w- c:\program files\Veetle
2010-02-24 14:16 . 2009-11-07 23:15 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-02 07:45 . 2010-02-24 12:07 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-11-07 23:06 . 2009-11-07 23:06 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
Code: Select all
<pre>
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Realtek\Audio\HDA\rthdvcpl .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\TOSHIBA\FlashCards\tcrdmain .exe
c:\program files\TOSHIBA\My Toshiba\mytoshiba .exe
c:\program files\TOSHIBA\Power Saver\tpwrmain .exe
c:\program files\TOSHIBA\SmoothView\smoothview .exe
c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\toswaitsrv .exe
c:\program files\TOSHIBA\Toshiba Online Backup\Activation\tobuactivation .exe
c:\program files\TOSHIBA\TOSHIBA Service Station\toshibaservicestation .exe
c:\program files\TOSHIBA\Utilities\hwsetup .exe
c:\program files\TOSHIBA\Utilities\kenotify .exe
c:\program files\TOSHIBA\Utilities\svpwutil .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKLM\~\startupfolder\C:^Users^Tirso Moscoso^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Tirso Moscoso\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
c:\program files\internet explorer\wmpscfgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
c:\progra~1\AVG\AVG9\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\Windows Live\Messenger\msnmsgr.exe [N/A]

R2 esteswtb;Microsoft Composite Battery Helper;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 171008]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1343400]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-05-15 21008]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-17 19472]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


--- Other Services/Drivers In Memory ---

*Deregistered* - lrfhbp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
esteswtb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe [N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 15:14]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 15:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE: Agregar al componente Anti-Banners - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
ShellIconOverlayIdentifiers-{AA9AECA3-77DF-48D3-BEE5-20092059270D} - (no file)



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\lrfhbp]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,24,65,27,71,5e,9b,49,9d,8c,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,24,65,27,71,5e,9b,49,9d,8c,45,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-04-27 12:39:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-27 17:39

Pre-Run: 207,756,386,304 bytes free
Post-Run: 207,392,530,432 bytes free

- - End Of File - - 97F382F664982EF3821A661DB22A390C
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 27th, 2010, 3:41 pm

Hi TMo,

ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    RenV::
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Realtek\Audio\HDA\rthdvcpl .exe
    c:\program files\Synaptics\SynTP\syntpenh .exe
    c:\program files\TOSHIBA\FlashCards\tcrdmain .exe
    c:\program files\TOSHIBA\My Toshiba\mytoshiba .exe
    c:\program files\TOSHIBA\Power Saver\tpwrmain .exe
    c:\program files\TOSHIBA\SmoothView\smoothview .exe
    c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\toswaitsrv .exe
    c:\program files\TOSHIBA\Toshiba Online Backup\Activation\tobuactivation .exe
    c:\program files\TOSHIBA\TOSHIBA Service Station\toshibaservicestation .exe
    c:\program files\TOSHIBA\Utilities\hwsetup .exe
    c:\program files\TOSHIBA\Utilities\kenotify .exe
    c:\program files\TOSHIBA\Utilities\svpwutil .exe
    c:\program files\Windows Live\Messenger\msnmsgr .exe
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

    Image

    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!

    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  5. Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 27th, 2010, 4:49 pm

Deltalima,

I have done as instructed. When I drag the CFScript.txt icon to the ComboFix.exe icon, ComboFix starts but it doesn't seem to finish. Notepad does not open up with a log. Any ideas as to what I should do?

Just to clarify, the text I am copy/pasting to Notepad and saving as CFScript starts with RenV:: NOT Code:, correct?

Thanks,

TMo
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 27th, 2010, 5:00 pm

Hi TMo,

the text I am copy/pasting to Notepad and saving as CFScript starts with RenV:: NOT Code:, correct?


Yes, that is correct, let's try a different method to run it

Highlight and copy the text in the codebox below.

Code: Select all
"%userprofile%\desktop\combofix.exe %userprofile%\desktop\CFscript.txt"


Click Start, click Run... and paste the text above into the Open: line and click OK.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 27th, 2010, 5:46 pm

That did not work but I finally got it to run. Here is the log:

ComboFix 10-04-26.05 - Tirso Moscoso 04/27/2010 16:32:57.3.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1342 [GMT -5:00]
Running from: c:\users\Tirso Moscoso\Desktop\ComboFix2.exe
Command switches used :: c:\users\Tirso Moscoso\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-27 21:40 . 2010-04-27 21:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-27 21:40 . 2010-04-27 21:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-27 21:40 . 2010-04-27 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-27 21:31 . 2010-04-27 21:31 -------- d-----w- C:\32788R22FWJFW
2010-04-27 17:33 . 2010-04-27 21:40 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\temp
2010-04-27 14:47 . 2010-04-27 17:24 -------- d-----w- C:\ComboFix
2010-04-27 03:16 . 2010-04-27 03:16 -------- d-----w- C:\f1dafa2fc7b85c5041e2
2010-04-22 23:22 . 2010-04-27 21:14 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-21 22:36 . 2010-04-21 22:36 -------- d-----w- c:\program files\Trend Micro
2010-04-18 13:44 . 2010-04-18 13:44 -------- d-----w- c:\users\Guest\AppData\Local\CrashDumps
2010-04-14 14:44 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 14:44 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 14:44 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 14:44 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 14:44 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 14:44 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 11:26 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 11:26 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Malwarebytes
2010-04-13 13:43 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\programdata\Malwarebytes
2010-04-13 13:43 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 13:43 . 2010-04-13 13:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 13:39 . 2010-04-13 13:39 -------- d-----w- c:\program files\ERUNT
2010-04-10 01:28 . 2010-04-24 14:51 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\CrashDumps
2010-04-09 23:38 . 2010-04-09 23:38 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-04-09 23:31 . 2010-04-09 23:31 932368 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-04-09 23:31 . 2010-04-09 23:31 678416 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-04-09 23:31 . 2010-04-09 23:31 604688 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-04-09 23:31 . 2010-04-09 23:31 1096208 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-04-09 23:31 . 2010-04-09 23:31 522768 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-04-09 23:27 . 2010-04-09 23:27 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-04-09 23:27 . 2010-04-09 23:27 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-04-09 22:52 . 2010-04-09 22:52 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-04-09 22:15 . 2010-04-09 22:15 -------- d-----w- C:\Archivos de programa
2010-04-09 12:30 . 2010-04-09 12:30 -------- d-----w- c:\users\Guest\AppData\Roaming\BitDefender
2010-04-07 23:40 . 2010-04-07 23:40 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\Tific
2010-04-07 23:40 . 2010-04-07 23:40 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Tific
2010-04-05 23:29 . 2010-04-16 14:56 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-05 23:29 . 2010-04-05 23:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-05 23:23 . 2010-04-05 23:23 -------- d-----w- c:\windows\Sun
2010-04-05 12:54 . 2010-04-05 12:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-03 23:42 . 2010-04-03 23:42 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-03 23:42 . 2010-04-03 23:42 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-03 22:46 . 2010-04-03 22:46 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\BitDefender
2010-04-03 22:45 . 2010-04-09 21:48 -------- d-----w- c:\programdata\BitDefender
2010-04-03 22:45 . 2010-04-09 21:48 -------- d-----w- c:\program files\BitDefender
2010-04-03 22:02 . 2010-04-09 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-03 21:16 . 2010-04-03 21:16 -------- d-----w- c:\program files\Common Files\Panda Security
2010-04-02 14:07 . 2010-04-16 14:57 -------- d-----w- c:\program files\Lavasoft
2010-04-02 14:07 . 2010-04-16 14:57 -------- d-----w- c:\programdata\Lavasoft
2010-04-02 02:34 . 2010-04-02 02:34 -------- d-----w- c:\users\Guest\AppData\Local\Diagnostics
2010-03-31 21:56 . 2010-04-04 21:55 -------- d-----w- c:\users\Tirso Moscoso\AppData\Local\ElevatedDiagnostics
2010-03-31 21:03 . 2010-03-31 21:14 -------- d-----w- c:\users\Guest\AppData\Local\Adobe
2010-03-31 20:04 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-29 12:17 . 2010-03-29 12:17 -------- d-----w- c:\program files\AVG
2010-03-29 12:16 . 2010-04-09 21:44 -------- d-----w- c:\programdata\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 16:45 . 2010-04-09 22:56 -------- d-----w- c:\programdata\Kaspersky Lab
2010-04-26 20:51 . 2009-09-03 08:22 -------- d-----w- c:\programdata\Norton
2010-04-26 19:19 . 2009-12-16 15:14 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\LimeWire
2010-04-15 11:12 . 2009-10-20 13:12 -------- d-----w- c:\programdata\Microsoft Help
2010-04-09 23:27 . 2010-04-09 23:27 280592 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\6.0\klif.sys
2010-04-09 23:27 . 2010-04-09 23:27 264720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-04-09 23:27 . 2010-04-09 23:27 128016 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-04-09 23:27 . 2009-05-24 19:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-04-09 23:27 . 2010-04-09 22:57 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-09 23:27 . 2010-04-09 22:57 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-09 23:27 . 2010-04-09 23:27 109072 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-04-09 23:27 . 2010-04-09 23:27 59920 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-04-09 23:27 . 2010-04-09 23:27 264720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-04-09 23:27 . 2010-04-09 23:27 280592 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\6.0\klif.sys
2010-04-09 23:27 . 2010-04-09 23:27 128016 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\sys\i386\kl1.sys
2010-04-09 22:56 . 2010-04-09 22:56 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-09 22:24 . 2009-09-03 08:22 -------- d-----w- c:\program files\Norton Internet Security
2010-04-09 16:01 . 2009-10-19 20:04 72200 ----a-w- c:\windows\system32\drivers\BdfNdisf6.sys
2010-04-07 21:59 . 2009-09-03 08:22 -------- d-----w- c:\programdata\NortonInstaller
2010-04-05 20:07 . 2009-11-10 15:39 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\skypePM
2010-04-05 13:21 . 2009-11-10 15:37 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\Skype
2010-03-29 01:50 . 2009-09-03 08:24 -------- d-----w- c:\programdata\WildTangent
2010-03-28 19:54 . 2010-03-28 19:54 300 ----a-w- c:\windows\system32\stsf.bat
2010-03-28 15:55 . 2010-03-28 15:55 -------- d-----w- c:\users\Tirso Moscoso\AppData\Roaming\iWin
2010-03-24 15:33 . 2010-03-24 15:33 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-03-24 15:33 . 2009-09-03 08:24 -------- d-----w- c:\program files\TOSHIBA Games
2010-03-23 18:14 . 2010-03-23 18:14 -------- d-----w- c:\users\Guest\AppData\Roaming\TOSHIBA
2010-03-19 15:14 . 2009-09-03 08:27 -------- d-----w- c:\program files\Google
2010-03-19 13:00 . 2010-03-19 13:00 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb94D1.tmp.exe
2010-03-16 20:01 . 2010-03-16 20:01 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-03-13 00:40 . 2010-03-13 00:40 -------- d-----w- c:\program files\Veetle
2010-02-24 14:16 . 2009-11-07 23:15 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-02 07:45 . 2010-02-24 12:07 2048 ----a-w- c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-11-07 23:06 . 2009-11-07 23:06 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll

[HKLM\~\startupfolder\C:^Users^Tirso Moscoso^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Tirso Moscoso\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

R2 esteswtb;Microsoft Composite Battery Helper;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-17 171008]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1343400]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-05-15 21008]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-05-17 19472]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


--- Other Services/Drivers In Memory ---

*Deregistered* - lrfhbp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
esteswtb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\mytoshiba.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 15:14]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-19 15:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE: Agregar al componente Anti-Banners - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe_Reader - c:\program files\internet explorer\wmpscfgs.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/rswin_3653.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\lrfhbp]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,24,65,27,71,5e,9b,49,9d,8c,45,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,24,65,27,71,5e,9b,49,9d,8c,45,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-27 16:44:13
ComboFix-quarantined-files.txt 2010-04-27 21:44
ComboFix2.txt 2010-04-27 17:39

Pre-Run: 207,423,082,496 bytes free
Post-Run: 207,385,862,144 bytes free

- - End Of File - - 55909BF14E19E380A652D7DC4EEE2441
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 28th, 2010, 4:08 am

Hi TMo,

Please run a full scan with Kaspersky and let me know the details of any infected items that are found.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Problem: rootkit.win32.agent.bert

Unread postby TMo » April 28th, 2010, 1:26 pm

Hello deltalima,

I ran a full scan with Kaspersky and it came back clean. My computer seems to be working much better now.

Let me know what else, if anything, needs to be done. No sure what you did but it seems to be working!

Thanks,

TMo
TMo
Active Member
 
Posts: 10
Joined: April 21st, 2010, 7:51 pm

Re: Problem: rootkit.win32.agent.bert

Unread postby deltalima » April 28th, 2010, 2:15 pm

Hi TMo,

scan with Kaspersky and it came back clean. My computer seems to be working much better now


That's good to here.

No sure what you did but it seems to be working


Combofix fixed the problems, a word of caution however, it is unadvisable to run Combofix without guidance from a helper on a forum such as this.

A few jobs to do to finish off.

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


Now close all other open windows and then click on Fix Checked. Close HijackThis.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE, UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version

Let me know when complete and we can finish off by removing the tools that have been installed.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware