Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Rootkit removed, strange computer behavior

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 6th, 2012, 2:12 am

OK, you need to change the properties of the folder from Read Only, to do that ....

  • Navigate to C:\Windows\Minidump
  • Right click on the Minidump folder and select Properties
  • In the Attributes section uncheck Read-only (Only applies to files in folder) by clicking on the button till it's not highlighted.
  • Click OK

You should be able to access them now.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 6th, 2012, 3:20 am

Hi.

Yes, I did that, but after I clicked "OK" there was an "Access Denied" window that said "You will need to provide administrator permission to change these attributes. Click Continue to complete this operation." So I clicked "continue," but then the properties window closed, and I was back to the C:\Windows\Minidump folder with nothing changed.

Also, the Minidump folder has a symbol on it that looks like a padlock.

I still cannot read the files.. :/
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 6th, 2012, 6:34 am

OK, let's try the following ....

  • Click Start and in the Search programs and files box type Notepad
  • At the top of the list of finds you will find a Notepad icon, right click on it and select Run as Administrator
  • A Notepad window will open ...
    • Click File > Open and navigate to the C:\Windows\Minidump folder.
    • Double click on the first of the files I listed and it should open in Notepad.
    • Repeat for each of the files.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 6th, 2012, 1:36 pm

That seemed to work, but the logs have many weird symbols on them. Here's a sample of 110412-986587-01. One log is too large to post...

PAGEDU64 ° p|j ë øÿÿpnä øÿÿ0‹â øÿÿd†   PAGE ðxý€úÿÿpý€úÿÿ`ˆ PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE  ß øÿÿPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE  üÿ H  € Ð ð! ðn Às `x 
¨… ž ˆÞ @5 ÿÿÿÿh³Ö€øÿÿ h‚ @ È   P þ³ ŠD ˜– xå Ùj?    s p s y s . s y s Àê€øÿÿ Ðñ€øÿÿ  s r v . s y s €øÿÿ à–€øÿÿ  c r a s h d m p . s y s ஀øÿÿ À¯€øÿÿ  d u m p _ i a S t o r . àí€øÿÿ  ÿ€øÿÿ  d u m p _ d u m p f v e à€øÿÿ 0á€øÿÿ€ `v€úÿÿ @à øÿÿ p½Ö€øÿÿ 1 € O  øÿÿ p|j ø ðOÿÿ   P¹ øÿÿ ÿ€P¹ øÿÿ@ €   €  + + S +   `ˆ  ðxý€úÿÿh³Ö€øÿÿNone  ðxý€úÿÿpý€úÿÿÀGß øÿÿ¾€úÿÿˆ yý€úÿÿ@¸€úÿÿð%ˆ€úÿÿÀ¥Ç øÿÿ Rich=ìU 
P   þÿÿÿ@ xžÒ€úÿÿ   €5ë øÿÿ @5ë øÿÿ À7ë øÿÿ @8ë øÿÿ @7ë øÿÿ À6ë øÿÿ 8ë øÿÿ €6ë øÿÿ @6ë øÿÿ 7ë øÿÿ À4ë øÿÿ €4ë øÿÿ €7ë øÿÿ 5ë øÿÿ  ûÑ€úÿÿ€×ß øÿÿ ûÑ€úÿÿ Øß øÿÿ úÑ€úÿÿ€Øß øÿÿ üÑ€úÿÿ ×ß øÿÿÀqЀúÿÿ€tà øÿÿÀ¡Ò€úÿÿ tà øÿÿ Ó€úÿÿ Íß øÿÿ úÑ€úÿÿ Ùß øÿÿàPЀúÿÿ šà øÿÿ   PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ@Sß øÿÿ çá øÿÿ  _| ‘#†€úÿÿ ­¢ Z| ·~ _| PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Sß øÿÿ@Sß øÿÿq¢ | 2 ¥¨ ¾€úÿÿ@ ^× s¨ ?´ ¥¨ PooL0 ÐÓÚ øÿÿ€ÎÚ øÿÿ Tß øÿÿ Sß øÿÿÅÖ Ú§  ~à qÁ¤€úÿÿÿ ¯G }à ^â ~à PooL@ ÐÓÚ øÿÿ€ÎÚ øÿÿ`Tß øÿÿ Tß øÿÿ
G à ½d ¡À€úÿÿ¢ kˆ ´d Rg ½d PooLP ÐÓÚ øÿÿ€ÎÚ øÿÿÀTß øÿÿ`Tß øÿÿJˆ –d  NÅ Ñøš€úÿÿö Åú LÅ È NÅ PooL` ÐÓÚ øÿÿ€ÎÚ øÿÿ Uß øÿÿÀTß øÿÿjú üÄ  A ¬ç
 ÿP A
F A PooLp ÐÓÚ øÿÿ€ÎÚ øÿÿ€Uß øÿÿ Uß øÿÿÀP Í@ h »À ÑQ€úÿÿ¶ â SÀ Ö »À PooL€ ÐÓÚ øÿÿ€ÎÚ øÿÿàUß øÿÿ€Uß øÿÿ,á }¿  ~4 ñŽƒ€úÿÿ éL i4 ¥6 ~4 PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ@Vß øÿÿàUß øÿÿ¿L ?4  °% ±VV€úÿÿ ê. ¬% ì& °% PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ Vß øÿÿ@Vß øÿÿÃ. …%   !×€úÿÿ ò Ž   PooL° ÐÓÚ øÿÿ€ÎÚ øÿÿ Wß øÿÿ Vß øÿÿæ ‚ ~"  ö O4 ~" è# ~" PooLÀ ÐÓÚ øÿÿ€ÎÚ øÿÿ`Wß øÿÿ Wß øÿÿ,4 `"  G 1€úÿÿ · E ^ G PooLÐ ÐÓÚ øÿÿ€ÎÚ øÿÿÀWß øÿÿ`Wß øÿÿ® <  Ý aqü€úÿÿ Í Ü A Ý PooLà ÐÓÚ øÿÿ€ÎÚ øÿÿ Xß øÿÿÀWß øÿÿÊ Û  ž ³€úÿÿ ‹  6 ž PooLð ÐÓÚ øÿÿ€ÎÚ øÿÿ€Xß øÿÿ Xß øÿÿ„ – q  ¹ ð| q ÿq q PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿàXß øÿÿ€Xß øÿÿð{ %p  ² A·€úÿÿ ¯ ± ¿ ² PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ@Yß øÿÿàXß øÿÿ® °  U ¡K€úÿÿ + T c U PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ Yß øÿÿ@Yß øÿÿ( Q µ   
µ k µ PooL0 ÐÓÚ øÿÿ€ÎÚ øÿÿ Zß øÿÿ Yß øÿÿ
µ T  T œ# T ` T PooL@ ÐÓÚ øÿÿ€ÎÚ øÿÿ`Zß øÿÿ Zß øÿÿˆ# J l´  ô [ú l´ ø· l´ PooLP ÐÓÚ øÿÿ€ÎÚ øÿÿÀZß øÿÿ`Zß øÿÿòù L´ ¸'  r ž1 ¸' Ð( ¸' PooL` ÐÓÚ øÿÿ€ÎÚ øÿÿ [ß øÿÿÀZß øÿÿ1 9'  Ì A…ƒ€úÿÿ  È ì Ì PooLp ÐÓÚ øÿÿ€ÎÚ øÿÿ€[ß øÿÿ [ß øÿÿ È  ­ ‘ª¡€úÿÿ X « g ­ PooL€ ÐÓÚ øÿÿ€ÎÚ øÿÿà[ß øÿÿ€[ß øÿÿX «  ­ áF €úÿÿ è ª º ­ PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ@\ß øÿÿà[ß øÿÿè ª  F qŽD€úÿÿ { C G F PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ \ß øÿÿ@\ß øÿÿ{ C  × +–€úÿÿ / Ó á × PooL° ÐÓÚ øÿÿ€ÎÚ øÿÿ ]ß øÿÿ \ß øÿÿ/ Ó  , Ñ«€úÿÿ $ ) C , PooLÀ ÐÓÚ øÿÿ€ÎÚ øÿÿ`]ß øÿÿ ]ß øÿÿ$ )   áŒÇ€úÿÿ   ÿ   PooLÐ ÐÓÚ øÿÿ€ÎÚ øÿÿÀ]ß øÿÿ`]ß øÿÿ  ÿ  Ï 19;€úÿÿ - Ë Ð Ï PooLà ÐÓÚ øÿÿ€ÎÚ øÿÿ ^ß øÿÿÀ]ß øÿÿ, Ê  q SŽ€úÿÿ Õ n ˆ q PooLð ÐÓÚ øÿÿ€ÎÚ øÿÿ€^ß øÿÿ ^ß øÿÿÕ n  ” qË€úÿÿ,  y i
” PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿà^ß øÿÿ€^ß øÿÿ¹ p    PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Gß øÿÿ@Gß øÿÿ ( uQ áp¤  øÿÿ( N\ MQ Oa uQ  PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Hß øÿÿ Gß øÿÿµ[ ´P Ð ãå Qdð  øÿÿÞ Ôú å ðî ãå  PooL0 ÐÓÚ øÿÿ€ÎÚ øÿÿ`Hß øÿÿ Hß øÿÿDú ƒä  ·q ñGù  øÿÿ À‘ 6q .‚ ·q  PooL@ ÐÓÚ øÿÿ€ÎÚ øÿÿÀHß øÿÿ`Hß øÿÿ@~ ¶] M ­ é´
 øÿÿN |« ` © ­  PooLP ÐÓÚ øÿÿ€ÎÚ øÿÿ Iß øÿÿÀHß øÿÿJ« .  x A´’
 øÿÿ Ÿ{ x Mz x  PooL` ÐÓÚ øÿÿ€ÎÚ øÿÿ€Iß øÿÿ Iß øÿÿ{ ûw  áQ Ñ‘Ï
 øÿÿ ¿T ÜQ ×S áQ  PooLp ÐÓÚ øÿÿ€ÎÚ øÿÿàIß øÿÿ€Iß øÿÿöS _Q  5  Á„ó  øÿÿ ¬¬ 1  Q« 5   PooL€ ÐÓÚ øÿÿ€ÎÚ øÿÿ@Jß øÿÿàIß øÿÿ|¬
  ¸Í  ì â ¸Í hÑ ¸Í  PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Jß øÿÿ@Jß øÿÿêá ˜Í  úº ¡lŸ  øÿÿ× {É àº Ú úº  PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ Kß øÿÿ Jß øÿÿ(É º  ±s ‘þ¾  øÿÿ 
v ­s “v ±s  PooL° ÐÓÚ øÿÿ€ÎÚ øÿÿ`Kß øÿÿ Kß øÿÿît ‘r # bÏ !À  øÿÿ• @Ù ?Ï „Ô bÏ  PooLÀ ÐÓÚ øÿÿ€ÎÚ øÿÿÀKß øÿÿ`Kß øÿÿMØ MÎ  Ü' áWT øÿÿ ²) Ø' d) Ü'  PooLÐ ÐÓÚ øÿÿ€ÎÚ øÿÿ Lß øÿÿÀKß øÿÿ­) Ó'  Ò ål
 øÿÿ VÔ Ò ÚÔ Ò  PooLà ÐÓÚ øÿÿ€ÎÚ øÿÿ€Lß øÿÿ Lß øÿÿ%Ô ÕÑ  k, Á
 øÿÿ Ó- g, ê. k,  PooLð ÐÓÚ øÿÿ€ÎÚ øÿÿàLß øÿÿ€Lß øÿÿÓ- g,  ù7 ;¼  øÿÿ \9 õ7 š9 ù7  PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ@Mß øÿÿàLß øÿÿO9 è7  ÚH ¡õÜ  øÿÿ YM ÖH œJ ÚH  PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Mß øÿÿ@Mß øÿÿRM ÏH   ñ®µ
 øÿÿ †  Þ   PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ Nß øÿÿ Mß øÿÿ…   % ÑUÊ
 øÿÿ …% ! & %  PooL0 ÐÓÚ øÿÿ€ÎÚ øÿÿ`Nß øÿÿ Nß øÿÿ_% û   ÑÞè
 øÿÿ   ƒ   PooL@ ÐÓÚ øÿÿ€ÎÚ øÿÿÀNß øÿÿ`Nß øÿÿö  ;  T ;H ; ë> ;  PooLP ÐÓÚ øÿÿ€ÎÚ øÿÿ Oß øÿÿÀNß øÿÿH ù:  Å
p§
 øÿÿ ½ Á
„ Å
 PooL` ÐÓÚ øÿÿ€ÎÚ øÿÿ€Oß øÿÿ Oß øÿÿ½ Á
  0µ
 øÿÿ ¾ ‰ ²   PooLp ÐÓÚ øÿÿ€ÎÚ øÿÿàOß øÿÿ€Oß øÿÿµ €  m ’é  øÿÿ R
j T m  PooL€ ÐÓÚ øÿÿ€ÎÚ øÿÿ@Pß øÿÿàOß øÿÿR
j  ª ><  øÿÿ ‹ § ` ª  PooL ÐÓÚ øÿÿ€ÎÚ øÿÿ Pß øÿÿ@Pß øÿÿy •  Í ‘¶  øÿÿ X
É ; Í  PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ Qß øÿÿ Pß øÿÿX
É  ý ñÌ:  øÿÿ ö û : ý  PooL° ÐÓÚ øÿÿ€ÎÚ øÿÿ`Qß øÿÿ Qß øÿÿö û  –
AJ™
 øÿÿ 2 ’
" –
 PooLÀ ÐÓÚ øÿÿ€ÎÚ øÿÿÀQß øÿÿ`Qß øÿÿ v
 í 1µ˜  øÿÿ £ é 4 í  PooLÐ ÐÓÚ øÿÿ€ÎÚ øÿÿ Rß øÿÿÀQß øÿÿ™ ß  Æ H„
 øÿÿ &   Æ  PooLà ÐÓÚ øÿÿ€ÎÚ øÿÿ€Rß øÿÿ Rß øÿÿ&   Ž ±l™
 øÿÿ ˜ Š ú Ž  PooLð ÐÓÚ øÿÿ€ÎÚ øÿÿàRß øÿÿ€Rß øÿÿ   t œ÷
 øÿÿ Ä p Ë t  PooL  ÐÓÚ øÿÿ€ÎÚ øÿÿ@zž €øÿÿàRß øÿÿÄ p E Å% ¿þ ¡­  W) à84 ܐ ; (
G ÿÿÿi ³" ÍQ Á(ÿ
Äœ4 ’] `ß øÿÿ `ß øÿÿ U` `ß øÿÿ `ß øÿÿ x °/º øÿÿ   U`  ^À *{ _À €ë‹€úÿÿ€ë‹€úÿÿ–tŽ1 Z}€úÿÿ/û€úÿÿZÆ// AÚ€úÿÿ@AH€úÿÿ>¤V6 èbß øÿÿèbß øÿÿ Ar*ÿÿÿÿ cß øÿÿcß øÿÿNït*ÿÿÿÿ (cß øÿÿ(cß øÿÿàÔv*ÿÿÿÿ Hcß øÿÿHcß øÿÿ® ðRÿÿÿÿ hcß øÿÿhcß øÿÿ°kÝ,ÿÿÿÿ ˆcß øÿÿˆcß øÿÿÏt~*ÿÿÿÿ @A¯€úÿÿ@A¯€úÿÿ‚§g6 Ècß øÿÿÈcß øÿÿ®²‚*ÿÿÿÿ ècß øÿÿècß øÿÿ*ÿÿÿÿ ˜"ø€úÿÿ˜bù€úÿÿÉJê51 (dß øÿÿ(dß øÿÿ°[Š*ÿÿÿÿ Hdß øÿÿHdß øÿÿ/8Œ*ÿÿÿÿ p–“€úÿÿ`êá øÿÿ„¬BN ˆdß øÿÿˆdß øÿÿ€Å*ÿÿÿÿ @!€úÿÿ ʘ€úÿÿP¶õ, Èdß øÿÿÈdß øÿÿ‘B–*ÿÿÿÿ èdß øÿÿèdß øÿÿ<m˜*ÿÿÿÿ @ìJ€úÿÿ@ìJ€úÿÿòSS à´6€úÿÿà´6€úÿÿRµS  Ô€øÿÿ Ô€øÿÿôÌ%4 @q4€úÿÿ@q4€úÿÿDÂd/ ˆeß øÿÿˆeß øÿÿÓŠ¤*ÿÿÿÿ °tn€øÿÿ°tn€øÿÿ ¥ÍàÉ Èeß øÿÿÈeß øÿÿ€/©*ÿÿÿÿ èeß øÿÿèeß øÿÿ´«*ÿÿÿÿ fß øÿÿfß øÿÿô^$Sÿÿÿÿ (fß øÿÿ(fß øÿÿ´q°*ÿÿÿÿ ˜‚î€úÿÿ˜‚î€úÿÿ2”- hfß øÿÿhfß øÿÿ\´*ÿÿÿÿ @¨è€úÿÿ@¨è€úÿÿÂæD ¨fß øÿÿ¨fß øÿÿ1ï¹*ÿÿÿÿ À6Ÿ€úÿÿ@ M€úÿÿ5§2S èfß øÿÿèfß øÿÿ¦¾*ÿÿÿÿ @œˆ€úÿÿ Å‘€úÿÿª¥ä1 (gß øÿÿ(gß øÿÿwàÂ*ÿÿÿÿ @°€úÿÿ@Ž€úÿÿšˆ‡/ hgß øÿÿhgß øÿÿw?È*ÿÿÿÿ pŸó€øÿÿpŸó€øÿÿ­Œ/ ¨gß øÿÿ¨gß øÿÿmÌ*ÿÿÿÿ Ègß øÿÿÈgß øÿÿ˜cÏ*ÿÿÿÿ P´€úÿÿP´€úÿÿn<3- ÀV™€úÿÿÀV™€úÿÿž÷1 (hß øÿÿ(hß øÿÿFAÖ*ÿÿÿÿ Hhß øÿÿHhß øÿÿd²Ø*ÿÿÿÿ @<¦€úÿÿ@<¦€úÿÿ‰µ_4 øÑ €úÿÿøÑ €úÿÿ 3à, ¨hß øÿÿ¨hß øÿÿ:
à*ÿÿÿÿ Èhß øÿÿÈhß øÿÿgùPÿÿÿÿ èhß øÿÿèhß øÿÿKä*ÿÿÿÿ @a‹€úÿÿ@a‹€úÿÿÞÛ¨/ (iß øÿÿ(iß øÿÿˆCé*ÿÿÿÿ @œ €úÿÿ ñ
€úÿÿ‡Ò”; hiß øÿÿhiß øÿÿ<¹í*ÿÿÿÿ  dÈ€øÿÿ dÈ€øÿÿ Ø6 —â øÿÿ —â øÿÿ>ŸS- Èiß øÿÿÈiß øÿÿ\Ýô*ÿÿÿÿ @\Ø€úÿÿ@\Ø€úÿÿ­qY- jß øÿÿjß øÿÿ ù*ÿÿÿÿ (jß øÿÿ(jß øÿÿ}ü*ÿÿÿÿ Hjß øÿÿHjß øÿÿ[þ*ÿÿÿÿ hjß øÿÿhjß øÿÿ~`+ÿÿÿÿ ˆjß øÿÿˆjß øÿÿÅ+ÿÿÿÿ ¨jß øÿÿ¨jß øÿÿþ†+ÿÿÿÿ Èjß øÿÿÈjß øÿÿ_è+ÿÿÿÿ èjß øÿÿèjß øÿÿ¿I
+ÿÿÿÿ kß øÿÿkß øÿÿ« +ÿÿÿÿ @a=€úÿÿ ëá øÿÿ.ãÃN Hkß øÿÿHkß øÿÿàm+ÿÿÿÿ hkß øÿÿhkß øÿÿ@Ï+ÿÿÿÿ @÷€úÿÿ@÷€úÿÿYJ ¨kß øÿÿ¨kß øÿÿ“Ä+ÿÿÿÿ Èkß øÿÿÈkß øÿÿ¡+ÿÿÿÿ èkß øÿÿèkß øÿÿl+ÿÿÿÿ lß øÿÿlß øÿÿ@4 +ÿÿÿÿ @,©€úÿÿ@,©€úÿÿѧ4 Hlß øÿÿHlß øÿÿâx$+ÿÿÿÿ hlß øÿÿhlß øÿÿBÚ&+ÿÿÿÿ  v€øÿÿà™v€øÿÿZ>¹G @‘\€úÿÿ@ê€úÿÿ
- €¢v€øÿÿ€€Ï€úÿÿá
¿G èlß øÿÿèlß øÿÿÃ_0+ÿÿÿÿ mß øÿÿmß øÿÿ#Á2+ÿÿÿÿ (mß øÿÿ(mß øÿÿľ5+ÿÿÿÿ Hmß øÿÿHmß øÿÿ$ 8+ÿÿÿÿ hmß øÿÿhmß øÿÿÚè9+ÿÿÿÿ ø‡ß øÿÿø‡ß øÿÿ“qa2 @Á€úÿÿ@Á€úÿÿœ8UQ Èmß øÿÿÈmß øÿÿe A+ÿÿÿÿ À›v€øÿÿÀ›v€øÿÿ$Ü¥- nß øÿÿnß øÿÿ&ÌE+ÿÿÿÿ @qì€úÿÿ@qì€úÿÿ¸]Q Hnß øÿÿHnß øÿÿæŽJ+ÿÿÿÿ Ð÷ €øÿÿ°²á øÿÿFðL+ @S€úÿÿ@S€úÿÿ•$P+ `Ѐúÿÿ z—€úÿÿ.«Q+ ˜ë€úÿÿ˜ë€úÿÿ4jT+ ”‡€úÿÿP}€úÿÿC¿U+ 0<í€úÿÿ@Ü€úÿÿJÏX+ (oß øÿÿ(oß øÿÿ ïù(ÿÿÿÿ XO»€úÿÿÞç øÿÿ,w^+ hoß øÿÿhoß øÿÿ„`+ÿÿÿÿ ˆoß øÿÿˆoß øÿÿcü )ÿÿÿÿ àû5€úÿÿàû5€úÿÿå…¬9 œ3€øÿÿ@l€úÿÿ ef+ 0*÷€úÿÿŸó€úÿÿñxi+ @¨€úÿÿ@l¯€úÿÿ¶Mk+ (pß øÿÿ(pß øÿÿkÛ )ÿÿÿÿ  ˜˜€øÿÿ ˜˜€øÿÿ:yq+ hpß øÿÿhpß øÿÿ Æ)ÿÿÿÿ À=o€úÿÿàîç øÿÿ
u+ @¬Ë€úÿÿ@×€úÿÿ–.x+ Èpß øÿÿÈpß øÿÿ&Ê)ÿÿÿÿ ­„€úÿÿ@!C€úÿÿ*£|+ øÿ€úÿÿ@l‹€úÿÿ‹+ @‘û€úÿÿ@GŽ€úÿÿY¤+ @‹€úÿÿØœé€øÿÿ; ƒ+ @€úÿÿàÿá øÿÿÊ÷æ-  Ö€úÿÿ Ö€úÿÿ Šˆ+ dž€úÿÿ@<€úÿÿ5ÌŠ+ Èqß øÿÿÈqß øÿÿOÍ+)ÿÿÿÿ èqß øÿÿèqß øÿÿœ.)ÿÿÿÿ @á÷€úÿÿ@á÷€úÿÿ;@©Q ι€úÿÿ ˆ,€úÿÿ¶Q”+ Hrß øÿÿHrß øÿÿéö5)ÿÿÿÿ @è€úÿÿ@a¦€úÿÿ)£5 ˆrß øÿÿˆrß øÿÿ©¹:)ÿÿÿÿ Ál€úÿÿ08»€úÿÿnö+ 1a€úÿÿ 1a€úÿÿÕ“Ä2 èrß øÿÿèrß øÿÿéXA)ÿÿÿÿ sß øÿÿsß øÿÿ@!D)ÿÿÿÿ (sß øÿÿ(sß øÿÿ‹ F)ÿÿÿÿ Hsß øÿÿHsß øÿÿ«eH)ÿÿÿÿ Є€€úÿÿЄ€€úÿÿ»¬+ @¡ €úÿÿ ¦®€úÿÿv½ð9g  '€úÿÿ '€úÿÿbñ55 Èsß øÿÿÈsß øÿÿàÜQ)ÿÿÿÿ èsß øÿÿèsß øÿÿÌèT)ÿÿÿÿ É€úÿÿÉ€úÿÿ‘%¸+ (tß øÿÿ(tß øÿÿtY)ÿÿÿÿ @±—€úÿÿ@±—€úÿÿèŠC @¼­€úÿÿ@¼­€úÿÿ²I¿+ ЭÑ€úÿÿЭÑ€úÿÿ«Á+ ¨tß øÿÿ¨tß øÿÿ1c)ÿÿÿÿ Ètß øÿÿÈtß øÿÿÓmÆ+ÿÿÿÿ ètß øÿÿètß øÿÿÏóg)ÿÿÿÿ @Q€úÿÿ@Q€úÿÿ0ÃÊ+ @ŒÜ€úÿÿ@ŒÜ€úÿÿô‘Í+ H§¬€úÿÿH§¬€úÿÿTóÏ+ huß øÿÿhuß øÿÿ´TÒ+ÿÿÿÿ ÀIW€úÿÿ˜í€úÿÿí$Ô+ @aR€úÿÿ@aR€úÿÿu×+ @ü€úÿÿ@ü€úÿÿÕxÙ+ èuß øÿÿèuß øÿÿ5ÚÛ+ÿÿÿÿ vß øÿÿvß øÿÿ–;Þ+ÿÿÿÿ (vß øÿÿ(vß øÿÿ £)ÿÿÿÿ Hvß øÿÿHvß øÿÿVþâ+ÿÿÿÿ PË€úÿÿPË€úÿÿ¶_å+ ˆvß øÿÿˆvß øÿÿ²å†)ÿÿÿÿ ¨vß øÿÿ¨vß øÿÿ!›ˆ)ÿÿÿÿ Èvß øÿÿÈvß øÿÿs¨‹)ÿÿÿÿ èvß øÿÿèvß øÿÿ@_)ÿÿÿÿ wß øÿÿwß øÿÿóΏ)ÿÿÿÿ (wß øÿÿ(wß øÿÿ”Ì’)ÿÿÿÿ Hwß øÿÿHwß øÿÿ”y”)ÿÿÿÿ hwß øÿÿhwß øÿÿ–çø+ÿÿÿÿ ˜ž€úÿÿ€À‹€úÿÿ8›[. ¨wß øÿÿ¨wß øÿÿ´ Rÿÿÿÿ A(€øÿÿA(€øÿÿ€ûþ+ èwß øÿÿèwß øÿÿô )ÿÿÿÿ 鮀úÿÿ 鮀úÿÿ¼C”H (xß øÿÿ(xß øÿÿ´R¥)ÿÿÿÿ ˜òù€úÿÿ˜‚ù€úÿÿÉR , 0
ö€úÿÿ0
ö€úÿÿ#ÈüJ ˆxß øÿÿˆxß øÿÿ·û¬)ÿÿÿÿ @!”€úÿÿ@!”€úÿÿ¯S, @8c€úÿÿ@8c€úÿÿ?öSž 0ª‰€úÿÿ0ª‰€úÿÿçŠ83 yß øÿÿyß øÿÿ8¶)ÿÿÿÿ @l3€úÿÿ@l3€úÿÿÀÎÂ< Hyß øÿÿHyß øÿÿ &»)ÿÿÿÿ P"Ö€úÿÿÐ%W€øÿÿ €, ˆyß øÿÿˆyß øÿÿ๿)ÿÿÿÿ ¨yß øÿÿ¨yß øÿÿú¸ƒ.ÿÿÿÿ Èyß øÿÿÈyß øÿÿÀMÄ)ÿÿÿÿ èyß øÿÿèyß øÿÿÚ*Ç)ÿÿÿÿ zß øÿÿzß øÿÿ áÈ)ÿÿÿÿ @§‘€úÿÿ@§‘€úÿÿ:<BR Hzß øÿÿHzß øÿÿÊÍ)ÿÿÿÿ hzß øÿÿhzß øÿÿ[°Ð)ÿÿÿÿ a€úÿÿ a€úÿÿÿˆö ¨zß øÿÿ¨zß øÿÿÛÖÔ)ÿÿÿÿ Èzß øÿÿÈzß øÿÿ{Ô×)ÿÿÿÿ @”€úÿÿ€Ð™€úÿÿxa!8 {ß øÿÿ{ß øÿÿ‡`Ü)ÿÿÿÿ ({ß øÿÿ({ß øÿÿœøÞ)ÿÿÿÿ H{ß øÿÿH{ß øÿÿìþà)ÿÿÿÿ h{ß øÿÿh{ß øÿÿžE,ÿÿÿÿ ˆ{ß øÿÿˆ{ß øÿÿ½æ)ÿÿÿÿ ¨{ß øÿÿ¨{ß øÿÿ<ùç)ÿÿÿÿ È{ß øÿÿÈ{ß øÿÿ~ßê)ÿÿÿÿ `èR€úÿÿ€hU€úÿÿv7N, |ß øÿÿ|ß øÿÿ™sï)ÿÿÿÿ  v€øÿÿ v€øÿÿZ›×5 H|ß øÿÿH|ß øÿÿæÀó)ÿÿÿÿ h|ß øÿÿh|ß øÿÿ2àW,ÿÿÿÿ ˆ|ß øÿÿˆ|ß øÿÿ’AZ,ÿÿÿÿ ¨|ß øÿÿ¨|ß øÿÿó¢\,ÿÿÿÿ È|ß øÿÿÈ|ß øÿÿS_,ÿÿÿÿ è|ß øÿÿè|ß øÿÿ³ea,ÿÿÿÿ }ß øÿÿ}ß øÿÿÇc,ÿÿÿÿ (}ß øÿÿ(}ß øÿÿt(f,ÿÿÿÿ H}ß øÿÿH}ß øÿÿÔ‰h,ÿÿÿÿ h}ß øÿÿh}ß øÿÿ4ëj,ÿÿÿÿ ˆ}ß øÿÿˆ}ß øÿÿ•Lm,ÿÿÿÿ Ðÿƒ€úÿÿÐÿƒ€úÿÿõ­o, È}ß øÿÿÈ}ß øÿÿUr,ÿÿÿÿ è}ß øÿÿè}ß øÿÿâV*ÿÿÿÿ ~ß øÿÿ~ß øÿÿÒv,ÿÿÿÿ (~ß øÿÿ(~ß øÿÿv3y,ÿÿÿÿ @ Ï€úÿÿÐ
‚€úÿÿ@Åz, h~ß øÿÿh~ß øÿÿ6ö},ÿÿÿÿ ¸A(€øÿÿ@2Ý €øÿÿŤ3 ¨~ß øÿÿ¨~ß øÿÿä!*ÿÿÿÿ È~ß øÿÿÈ~ß øÿÿ$OšRÿÿÿÿ ÈH€úÿÿ@ÜW€úÿÿŽ=«3 ß øÿÿß øÿÿ,(*ÿÿÿÿ (ß øÿÿ(ß øÿÿEs¡Rÿÿÿÿ p²©€úÿÿp²©€úÿÿ$[, hß øÿÿhß øÿÿ§?‘,ÿÿÿÿ @1V€úÿÿ@1V€úÿÿIóó. @‘ž€úÿÿ@‘ž€úÿÿªTö. ÀäT€úÿÿ@y€úÿÿÈc˜, èß øÿÿèß øÿÿçl9*ÿÿÿÿ °*€úÿÿ@˜]€úÿÿ ¼PP (€ß øÿÿ(€ß øÿÿ§/>*ÿÿÿÿ H€ß øÿÿH€ß øÿÿ§ß¶Rÿÿÿÿ h€ß øÿÿh€ß øÿÿhòB*ÿÿÿÿ ˆ€ß øÿÿˆ€ß øÿÿÈSE*ÿÿÿÿ ¨€ß øÿÿ¨€ß øÿÿG0G*ÿÿÿÿ ˆÞ€úÿÿ ˆÞ€úÿÿ¼e16 ŠÜ€úÿÿ@Ü €úÿÿÇ36 ß øÿÿß øÿÿÖ’N*ÿÿÿÿ  ëá øÿÿ ëá øÿÿª×¶a t‚€úÿÿt‚€úÿÿÉ«ý: 0wà€øÿÿØdÝ€úÿÿ€¶, @œø€úÿÿ@œø€úÿÿƒ·:h ž­€øÿÿ ž­€øÿÿ•×ß3 ȁß øÿÿȁß øÿÿ‹!]*ÿÿÿÿ èß øÿÿèß øÿÿë‚_*ÿÿÿÿ ‚ß øÿÿ‚ß øÿÿOa*ÿÿÿÿ @:j€úÿÿ@|—€úÿÿ’Ï?  ™æ€úÿÿ ™æ€úÿÿ¬õÜR @ül€úÿÿ %W€øÿÿ WßR  ØÕÏ€úÿÿØÕÏ€úÿÿ   tQÅ øÿÿ  G „  7æ  ù €úÿÿ ¨€úÿÿ    p[Ú øÿÿ €ƒß øÿÿ€ƒß øÿÿƒß øÿÿƒß øÿÿ ƒß øÿÿ ƒß øÿÿ°ƒß øÿÿ°ƒß øÿÿÀƒß øÿÿÀƒß øÿÿЃß øÿÿЃß øÿÿàƒß øÿÿàƒß øÿÿðƒß øÿÿðƒß øÿÿ „ß øÿÿ „ß øÿÿ„ß øÿÿ„ß øÿÿ „ß øÿÿ „ß øÿÿ0„ß øÿÿ0„ß øÿÿ@„ß øÿÿ@„ß øÿÿP„ß øÿÿP„ß øÿÿ`„ß øÿÿ`„ß øÿÿp„ß øÿÿp„ß øÿÿ€„ß øÿÿ€„ß øÿÿ„ß øÿÿ„ß øÿÿ „ß øÿÿ „ß øÿÿ°„ß øÿÿ°„ß øÿÿÀ„ß øÿÿÀ„ß øÿÿЄß øÿÿЄß øÿÿà„ß øÿÿà„ß øÿÿð„ß øÿÿð„ß øÿÿ …ß øÿÿ …ß øÿÿ…ß øÿÿ…ß øÿÿ …ß øÿÿ …ß øÿÿ0…ß øÿÿ0…ß øÿÿ@…ß øÿÿ@…ß øÿÿP…ß øÿÿP…ß øÿÿ`…ß øÿÿ`…ß øÿÿp…ß øÿÿp…ß øÿÿ}» xº ç d   ‚ : 8fã €à øÿÿ£žVm ]5 ? Ô
ƒ c  ÿ ³ ! ä Ï& A  ­) C  5' 6ÉL+ p$¿€úÿÿe Úà¬Ñ ¿€úÿÿ d ï­ à  øÿÿ      `ß øÿÿ `ß øÿÿ£Ù øÿÿ€>ß øÿÿ ³¼áÝ Ð^¬Ñ ‘8âÝ †˜¬Ñ !¿€úÿÿH"¿€úÿÿ Ê   `ß øÿÿ `ß øÿÿtQÅ øÿÿ ÷ä ÓºÍ  X@ à‡ß øÿÿà‡ß øÿÿ“qa2 ˆmß øÿÿˆmß øÿÿÿž»lô‘§ ˜: @ €  @ €   @ 0  ù - € €øÿÿ`ÉÒ€úÿÿpÔ€úÿÿ   ÁÌ€úÿÿ        ‰ß øÿÿ €,¬ ¯ 5Ÿ
 ÒÙ  Yf  <R g»D ßL ø ê«+ q Þ¿ … *£ Ë2 / {‘* \] îÄ) 'o ' Gk h ª  Ø ü $  GenuineIntel þ?[! 
 ?ß øÿÿ  Ø Î€ø @Å øÿÿ  X xøv€úÿÿxøv€úÿÿˆøv€úÿÿˆøv€úÿÿ p|j X.Y€úÿÿXv€úÿÿ    àøv€úÿÿàøv€úÿÿ      M ( Кç øÿÿ¼f€úÿÿ˜Í‹    °ùv€úÿÿ°ùv€úÿÿ 1 ÷ÈÒºÍ à 0‹â øÿÿ¸¼f€úÿÿK à‰ À] ø‹ 
@Ôp€úÿÿ Ð  : 0Œ€øÿÿ½f€úÿÿ à½î€úÿÿðì  øÿÿYj÷
 øÿÿË£ O 0q ùÿÿ€m€úÿÿÄÖ
 øÿÿ / Íž|V L ø `öª  øÿÿ  ú~  0Œ€øÿÿinexplore.exe. ¨m€úÿÿ¨m€úÿÿ €/Y€úÿÿ€v€úÿÿ àý~  È>N ðý~   û5  $ Ðèè€úÿÿ ð€úÿÿÀuä øÿÿà¾f€úÿÿ  2 þI T Y . 5 ¢\ Ç  ÷ÿÿfýÆß ¢¸   ôâ øÿÿP¿f€úÿÿ ÿ  Ð M »üv€úÿÿ °kœ€úÿÿ ¡ €‘H€úÿÿ Ðý`  øÿÿÐý`  øÿÿ   hv€úÿÿhv€úÿÿÈ_¢ :h£‚ p½Ö€øÿÿ 0Ö€øÿÿp±Ö€øÿÿ   °v€úÿÿ°v€úÿÿÀv€úÿÿÀv€úÿÿpøv€úÿÿ
 hv€úÿÿ P„ß øÿÿ Pý~  ß øv€úÿÿøv€úÿÿ6ö}, h~ß øÿÿh~ß øÿÿ–Ͻ—±s   á ¾€úÿÿ¾€úÿÿ`v€úÿÿ¾€úÿÿhv€úÿÿ ñ³ `v€úÿÿ  `v€úÿÿ _À (v€úÿÿ(v€úÿÿ`v€úÿÿ  à»Ö€øÿÿè 2    pøv€úÿÿ °v€úÿÿ v€úÿÿ v€úÿÿ v€úÿÿ°v€úÿÿ°v€úÿÿ ¼gÀ ùÿÿ ÀÖ€øÿÿXÇ `v€úÿÿ°v€úÿÿ°v€úÿÿ@Å øÿÿDdÌ øÿÿ Å øÿÿ    @v€úÿÿ@v€úÿÿ  øv€úÿÿXC¯€úÿÿhv€úÿÿhv€úÿÿ x4 ”- !)b
hÆ _MÎÒºÍÈv€úÿÿÈv€úÿÿ €, w v€úÿÿ v€úÿÿà œ   (v€úÿÿ(v€úÿÿ R:œ
 øÿÿ€åè€úÿÿ€åè€úÿÿ Ð</ xûv€úÿÿ€D¯€úÿÿ 
¨  ÓÆÚ øÿÿ ðxý€úÿÿpý€úÿÿ`ˆ ð%ˆ€úÿÿß €úÿÿ yý€úÿÿ`´Ö€øÿÿ 0M  øÿÿÿ 0 pý€úÿÿð%ˆ€úÿÿð%ˆ€úÿÿ@¸€úÿÿ 0M  øÿÿ `¼Ö€øÿÿ š•û€øÿÿ yý€úÿÿ €øÿÿNone€øÿÿ ñÈ€úÿÿ€>ß øÿÿðƒ€úÿÿ €úÿÿPP‚€úÿÿ ÓÎþÿÿÿÿ @¸€úÿÿ K–€úÿÿ¾€úÿÿ þ < > €úÿÿ$p€úÿÿ yý€úÿÿÐfr€úÿÿð%ˆ€úÿÿà'€úÿÿà3Š€úÿÿ ìM€úÿÿ þ n p€úÿÿåè€úÿÿ p€úÿÿ þ ¢û€øÿÿ €úÿÿ@µÖ€øÿÿøD ÿ øÿÿ 0M  øÿÿåè€úÿÿ`v€úÿÿzÈ øÿÿ €úÿÿ €øÿÿ à3Š€úÿÿ 0Ö€øÿÿRich=ìU œÉ øÿÿ x–Á€úÿÿm§Ú øÿÿwD À¶Ö€øÿÿ €>ß øÿÿ v€úÿÿ hv€úÿÿòÈ øÿÿìM€úÿÿ`v€úÿÿ €úÿÿ p€úÿÿ ¸@ýöÿÿ à³  ~ûöÿÿwD @ `v€úÿÿ@Ž’€úÿÿ O8È øÿÿ Û øÿÿ €øÿÿ Io €ˆà øÿÿ p€úÿÿ  -ÏÈ øÿÿ p€úÿÿIo øÿÿ  ¼gÀ ùÿÿÒ `ùÿÿ0ÁÁ ùÿÿ
C~À ùÿÿ  Á€úÿÿ€>ß øÿÿçÇ øÿÿ0u§€úÿÿ ÿ ¼gÀ ùÿÿ`+Y€úÿÿ 0ÁÁ ùÿÿ PC~À ùÿÿ  Sò, ÿÿ p€úÿÿn À‰™ p€úÿÿpök€úÿÿŒ@û€øÿÿåè€úÿÿ€ˆà øÿÿ  € þ P9À‰™ øÿÿåè€úÿÿpök€úÿÿ Io €úÿÿ€.€úÿÿîõÉ øÿÿкÖ€øÿÿÈ øÿÿ€>ß øÿÿã΀úÿÿ8 è ? Io  pök€úÿÿ  þ ‡Cû€øÿÿpa€úÿÿ`åè€úÿÿ þ  þ €úÿÿÀ‰™ åè€úÿÿpök€úÿÿ`åè€úÿÿ' ù øÿÿpa€úÿÿpa€úÿÿxæè€úÿÿ`åè€úÿÿDflt (ºÖ€øÿÿhºÖ€øÿÿ 0è€úÿÿ  ÷ÿÿüv þ pa€úÿÿn `åè€úÿÿ `v€úÿÿÀa€úÿÿ Ÿ a€úÿÿ p€úÿÿp €öÿÿa€úÿÿ pa€úÿÿ`v€úÿÿã΀úÿÿpa€úÿÿ€»Ö€øÿÿP$vt €ð‚ ý‚ Pý~ ˆ»Ö€øÿÿ(ð‚ `v€úÿÿ†ù øÿÿ `ð‚ À‰™€úÿÿ
H n ß þ è€úÿÿ0è€úÿÿ€‘H€úÿÿ˜Ç øÿÿÌI  €úÿÿHæ‚ ÿÿÿÿ `ð‚ À‰™
H n ß þ  ß
ø C `¼Ö€øÿÿ½‡Ç øÿÿ ž Å
Pý~ € ß  + Úû'w ç‚ Pý~ à
?³ @Êž  Ù-vt 3 F ð‚ + äà øÿÿäà øÿÿKDBG@  À øÿÿ &Ç øÿÿ èØ  Ç øÿÿ pnä øÿÿ0‹â øÿÿh‹â øÿÿpçá øÿÿ`íá øÿÿpë øÿÿ„ë øÿÿ`›ç øÿÿà9ç øÿÿpáç øÿÿ—â øÿÿ¨—â øÿÿ €cà øÿÿë øÿÿ Èë øÿÿäã øÿÿë øÿÿèë øÿÿ`ë øÿÿ€ë øÿÿ  ë øÿÿ pë øÿÿÐë øÿÿ  ë øÿÿØôâ øÿÿàôâ øÿÿè¥á øÿÿ8oä øÿÿ°ôâ øÿÿ õâ øÿÿ @4ë øÿÿ€8ë øÿÿÀ8ë øÿÿ 2ë øÿÿHß øÿÿ cà øÿÿ \à øÿÿàñá øÿÿ€ˆà øÿÿë øÿÿàë øÿÿ ë øÿÿ¢à øÿÿ²à øÿÿ¸ß øÿÿŒ¢à øÿÿwä øÿÿ€ˆÛ øÿÿ ë øÿÿ¸ë øÿÿhnä øÿÿHtâ øÿÿ¼ë øÿÿôÒá øÿÿ sä øÿÿð ã øÿÿõâ øÿÿèôâ øÿÿè øÿÿ8ë øÿÿ | ¸ 8 ( p d Ð8( MÚ! ôð¸K $    ß øÿÿ´ß øÿÿÀ«ç øÿÿ€N € @   3 + @ # S €Üç øÿÿ€Øç øÿÿ ñâ øÿÿñâ øÿÿ€GÛ øÿÿØK ˆÞ  À øÿÿ À] ø»T }…?P ÐÞ 41C2AF75A4370C9976A3}[_000_1883_2a42_0_00000000_00000000_00000000_00000000_00000000 B*  È À € L -Û ðÿ h” SKUWA Ø `  SKU_FEATURE_TABLE | ?     Ÿ ü   Ž  > µóݽz l  WA_TABLE ˜ A Ž ÄÀ€»  (Á€ €b @  `ä Ì°Regs ¤ 0  D  ( 0 h” 4 h” 8 ÀÍ< ð d h €l þÿÿÿp à t h” x hT΀ ðÿˆ ” ˜ ÿÿÿÿœ @   ¤ @  ¨ ¯ßüÿ¬  ´ ?ÿÿÿÀ à ä @ ! € ! i $! € 4! ’ @! @ 4! ’ x!  |! UX €!
±
!  ! ) ¤!  Ð!  2 2 2 2 2 2 2 ´ 2 $2 0@ 4@ 8@ ÀÎ<@ d@ h@ t@ x@ €@ ðÿ”@ œ@  À@ 4A @A A ”A ÐA  ¬! " ¬1 2 8  €!
(  à!  ÀÀÀ €€€ @@@   8  €1
(  à1  ÀÀÀ €€€ @@@     0 ­ ð  € ðÿ =  ð € ðÿ     @  ¯ßüÿ  (    ÿŸÿŸ/O66"(     ß (    ÿŸÿŸ/O66"(    ÿÿ   $  @€$ @     ÿ 6 ƒ Ð     0   œ d¤ œ ¤   €   X   €    P   (  (  Œ @   0 @ œ € ƒ0‚H   ˆ ¸ <3 @ü À €  @ ž H    0€    ¬ÍŠ›x‰VgTRAILER  íþï¾ @ZueFñêCŒ‘6¸W(ý5 ý3
'¦=
Fº‰<®!ã›È H  H  È  È  v  ` €úÿÿ‡ò€øÿÿ Àÿÿÿÿ s»  øÿÿ  @ ìè  øÿÿ 9  ` €úÿÿÔ
ø€øÿÿ ^ æ ` €úÿÿÔ
ø€øÿÿ ^ ° ` €úÿÿÔ
ø€øÿÿ ^ Å~ `@˜€úÿÿÔ
ø€øÿÿ ^ Ôy `@˜€úÿÿ\)ù€øÿÿ# ÀÿÿÿÿàKí€øÿÿX€øÿÿ|ü÷€øÿÿ X€øÿÿÓy `@˜€úÿÿqø€øÿÿ Z€øÿÿ ©í€øÿÿ  Ðy `@˜€úÿÿÔ
ø€øÿÿ ^ Èy `@˜€úÿÿÔ
ø€øÿÿ ^ X °åf€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ êW °åf€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ÆW °åf€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ W °åf€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ €V °åf€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ QV °åf€úÿÿÔ
ø€øÿÿ ^
V °åf€úÿÿqø€øÿÿàªæ€øÿÿ û~À ùÿÿ   V °åf€úÿÿÔ
ø€øÿÿ ^ 0B `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ B `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ÿA `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ÛA `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ²A `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ‹A `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ qA `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ZA `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ 6A `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ
A `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ æ@ `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ Ì@ `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ µ@ `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ‘@ `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ h@ `p‘€úÿÿ,ÿù€øÿÿ €ÿÿÿÿ4 Àÿÿÿÿ ;  ` €úÿÿ?- `ùÿÿ ð À ùÿÿÿÿÿÿ R
 ` €úÿÿ?- `ùÿÿ ð À ùÿÿÿÿÿÿ P
 pË€úÿÿD±t€øÿÿµ“
 øÿÿ O
 pË€úÿÿ‘®t€øÿÿ@Ú—
 øÿÿ0€úÿÿ 
 `+Y€úÿÿñî€øÿÿ @ 
 `+Y€úÿÿñî€øÿÿ @ 
 ` €úÿÿ?- `ùÿÿ@ïk ð À ùÿÿÿÿÿÿ ý  ` €úÿÿáøî€øÿÿ ðR+€øÿÿ û  ` €úÿÿ…÷î€øÿÿ  Ê  pË€úÿÿD±t€øÿÿµ“
 øÿÿ É  pË€úÿÿ‘®t€øÿÿ@Ú—
 øÿÿ°3Ì€úÿÿ È  ` €úÿÿIeî€øÿÿ °\
 øÿÿ   Æ  ` €úÿÿáøî€øÿÿ `T+€øÿÿ §  ` €úÿÿI( `ùÿÿ  @êk ¤  ` €úÿÿ.Ð `ùÿÿ  ž  ` €úÿÿI( `ùÿÿ  @êk ›  ` €úÿÿ.Ð `ùÿÿ  •  ` €úÿÿI( `ùÿÿ  @êk ’  ` €úÿÿ.Ð `ùÿÿ  Œ  ` €úÿÿI( `ùÿÿ  @êk ‰  ` €úÿÿ.Ð `ùÿÿ  ƒ  ` €úÿÿI( `ùÿÿ  @êk €  ` €úÿÿ.Ð `ùÿÿ  z  ` €úÿÿI( `ùÿÿ @êk w  ` €úÿÿ.Ð `ùÿÿ  n  ` €úÿÿI( `ùÿÿ  Àêk  k  ` €úÿÿ.Ð `ùÿÿ  e  ` €úÿÿI( `ùÿÿ  Àêk  b  ` €úÿÿ.Ð `ùÿÿ  \  ` €úÿÿI( `ùÿÿ  Àêk   \¼:×D˜†öˆLgXÜ   Ô   ðÚ‹ 3ÿÿAmerican Megatrends Inc. 2.50 05/20/2010   TOSHIBA Satellite U505 PSU82U-012002 To Be Filled By O.E.M. To Be Filled By O.E.M.   
TOSHIBA To be filled by O.E.M. To be filled by O.E.M. To Be Filled By O.E.M.  
  TOSHIBA To Be Filled By O.E.M. ( ¿z ÿûë¿‹ UUA    CPU 1 Intel Intel(R) Core(TM)2 Duo CPU P7450 @ 2.13GHz To Be Filled By O.E.M.  €@ @   L1-Cache     L2-Cache     L3-Cache    
   ‹‹ DIMM0 
#  DIMM1  E ‹‹ DIMM2  g  DIMM3 
PSU82U-012002,TI103289W0D,13L01 6MyaiqHKHXsnO dP6hr4NZC3tsb RNvAhINgKigbQ To Be Filled By O.E.M.  SMI:00B2C102 DSN: 9 D9TTX1T DSN:HYMP125S64CP8-S6 AA 2GQ: DSN:65535
  en|US|iso8859-1 #    jl ÿÿÿÿÿÿÿÿÿÿÿÿ   €     € € €  ÿÿ?      @ @ 
€ DIMM0 BANK0 Manufacturer00 ModulePartNumber00   € € € ~       ÿÿ@
 DIMM1 BANK1 Manufacturer01 ModulePartNumber01   € € € ~       @ @ 
€ DIMM2 BANK2 Manufacturer02 ModulePartNumber02   € € € ~       ÿÿ@
 DIMM3 BANK3 Manufacturer03 ModulePartNumber03   € € € ~      ÿ  Left side of System Nikon Battery 08/11/97 Nikon Ultra Plus SMART Ver 0123 Lion ! " "  LM78-1 # B € € € € € €LM78A $$       # % " " # To Be Filled By O.E.M. & #  € $'       # ( " % & To Be Filled By O.E.M. ) #  € $*       # + " ( ) To Be Filled By O.E.M. ',  € @ÿÿ& ÿÿTo Be Filled By O.E.M. To Be Filled By O.E.M. To Be Filled By O.E.M. To Be Filled By O.E.M. To Be Filled By O.E.M. - ‰ÃzlCÜGŸ4¨€
µlp
~ M H z   P , C o m p o n e n t I n f o r m a t i o n   & C o n f i g u r a t i o n D a t a  ÿÿÿÿÿÿÿÿ  I d e n t i f i e r  L I n t e l 6 4 F a m i l y 6 M o d e l 2 3 S t e p p i n g 1 0 ( P r o c e s s o r N a m e S t r i n g  ` I n t e l ( R ) C o r e ( T M ) 2 D u o C P U P 7 4 5 0 @ 2 . 1 3 G H z " U p d a t e S i g n a t u r e   
 U p d a t e S t a t u s    " V e n d o r I d e n t i f i e r   G e n u i n e I n t e l M S R 8 B  
oÀ=ÐŽØÅDº*úà5-°
GenuntelineI
GenuntelineI  z  ã ÿûë¿z  ã ÿûë¿  ±°ðWV H0´,±°ðWV H0´,   @ @  "@ @  "           
(  ( 
  ˆô¹  ˆô¹   ‹ 

 š    ›  œ ˆ "ˆ        ‰$—lS ‰$—lS  € À


 ã¶غÆ=6T´53ÑÞ»è÷ ú Ðó€úÿÿ à˜‹€úÿÿ LJ~ø¡Å/M¿ðÕÞc¥äà  ° Wdf01000 µ (  øÿÿ®_  ðçÊ€úÿÿ ° msisadrv óµ ÐÄs€úÿÿ ° vdrvroot Pb  È€úÿÿ ° cdrom  °Ü€úÿÿ ° intelppm  -é€úÿÿ  q HDAudBus pšë€úÿÿ ° vwifibus óµ pÂò€úÿÿ  p ApfiltrService ã[ Aø€úÿÿ ° CompositeBus  pì€úÿÿ ° umbus  Àçì€úÿÿ ° monitor © €úÿÿ  q PEAUTH
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 6th, 2012, 5:50 pm

OK, that doesn't really get us anywhere.

The file is corrupted so I can't do a full diagnosis of it, the only thing I've been able to ascertain is that your computer crashed with an error code of 8001 which resolves to ... "The file replication service API was called incorrectly".

So far I've found no evidence of any Malware on your computer, and because it's corrupted I would not place any reliance on the "results" derived from the log you've just posted.

I'd like to see if a general malware scan can detect something that's evaded us so far .....

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 7th, 2012, 1:24 am

Here it is:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=dbf2680b32ce0444ab9bd2a9620f4b99
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-07 05:03:46
# local_time=2012-11-06 09:03:46 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776573 100 94 0 103800905 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=170018
# found=0
# cleaned=0
# scan_time=7171
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 7th, 2012, 2:27 am

Still no sign of any Malware.

I think at this point that it's fair to say that whatever is causing your problems it's not related to any active Malware on your computer, and is therefore either due to some incidental software damage caused by the Malware when it was on your machine, some incidental software damage caused by its removal by your AV program, or it's due to some sort of hardware malfunction.

It would help if I knew exactly what Avast removed. Logs for Avast are usually kept in .... C:\ProgramData\AVAST Software\Avast\log .... (or were the last time I used Avast), so please see if you can find any log files for the items that were detected and removed and post them here if you can.

Other than that we're pretty much fishing in the dark, and to get your computer running correctly again, it may be quicker just to back up your personal files and folders, then reformat your hard drive and reinstall Windows.

Alternately I can pass you on to a forum that specialises in non-Malware related issues, and they may be able to troubleshoot your problem. I can recommend a few very good ones. My speciality is Malware removal, and as I said, so far I've seen no signs of Malware on your computer.

Please let me know how you want to proceed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 7th, 2012, 1:15 pm

Hi.

I couldn't find that log, so I took a screen shot of the infected files that were detected when I ran Avast.

Here they are

http://tinypic.com/r/35jjad3/6

http://tinypic.com/r/ek0rc2/6

I think I am still infected.... Whenever, I have to put a password before I can reach my desktop. Today, however, that screen was completely bypassed and I didn't have to put in my admin password...

What about that hidden partition that was labeled "suspicious" from the frst log? Is that something to be concerned about or is that normal?
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 7th, 2012, 8:28 pm

As far as I can see your Partition Structure is fine. The "suspicious" partition is not active (bootable) and is the wrong size (10 GB) for a partition installed by a Rootkit, which are typically 1-2 MB in size, and never exceed 10 MB. Toshiba computers typically come with recovery partitions of 10GB the partition was flagged solely because of its partition type (17).


From what I can see your AV detection looks like a false positive, and the files removed are not related to a rootkit, but are related to .NET activity.

It's hard to be sure about this without being able to scan the files with other AV programs.

Did you allow Avast to remove them, or did you Quarantine them ? If the latter, I advise you to de-Quarantine them, then we'll be able to test them with a number of other AV programs.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 8th, 2012, 2:05 am

Hi.

Avast removed the files. Did the .net activity cause my computer to act so strangely?

I guess we'll just have to leave it at that. Thanks for your time and help!
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 8th, 2012, 1:35 pm

I'm back. I found some icons on my desktop that were never there when I started up my computer this morning. My system folders were all moved to my desktop....? That includes the computer icon, and the one with my admin name on it.

There's also a "~$CA study guide.docx" file on my desktop that I can't open. When I click on it, a message pops up that says "Do you want to recover the contents of this document? If you trust the source of the document, click Yes."

Is this a hardware problem?

What should I do next? If it is a hardware problem, can you direct me to someone who can help me?

Thank you.
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 8th, 2012, 2:01 pm

Please run a new scan with OTL ....

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 8th, 2012, 3:34 pm

Hi, here it is.

OTL logfile created on: 11/8/2012 11:12:23 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Clare\Desktop\logs and scanners
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 2.81 Gb Available Physical Memory | 70.98% Memory free
7.93 Gb Paging File | 6.68 Gb Available in Paging File | 84.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.61 Gb Total Space | 399.35 Gb Free Space | 88.04% Space Free | Partition Type: NTFS
Drive E: | 7.47 Gb Total Space | 0.39 Gb Free Space | 5.21% Space Free | Partition Type: FAT32
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: CLARE-PC | User Name: Clare | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/04 14:05:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Clare\Desktop\logs and scanners\OTL.exe
PRC - [2012/07/03 08:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 08:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2009/08/11 10:37:50 | 002,446,648 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
PRC - [2009/07/14 18:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
PRC - [2009/07/02 10:05:00 | 000,252,288 | ---- | M] (TOSHIBA) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
PRC - [2009/03/10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2008/09/25 14:49:00 | 000,195,080 | ---- | M] (LSI Corp.) -- C:\Program Files\ltmoh\ltmoh.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 06:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 06:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll


========== Services (SafeList) ==========

SRV:64bit: - [2012/07/03 08:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2009/08/27 12:38:22 | 000,251,760 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV:64bit: - [2009/08/21 08:31:06 | 000,488,800 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/08/04 10:15:06 | 000,826,224 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV:64bit: - [2009/08/03 17:17:56 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/07/28 14:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/13 17:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/08 08:41:02 | 000,531,520 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\ThpSrv.exe -- (Thpsrv)
SRV:64bit: - [2009/07/07 08:38:24 | 000,065,904 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\rselect\RSelSvc.exe -- (RSELSVC)
SRV:64bit: - [2009/03/27 17:10:16 | 000,016,896 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agr64svc.exe -- (AgereModemAudio)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/08/17 09:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/08/10 18:55:58 | 000,248,688 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe -- (cfWiMAXService)
SRV - [2009/07/14 18:10:30 | 000,042,368 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe -- (ConfigFree Gadget Service)
SRV - [2009/06/10 13:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/05/22 10:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/10 17:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/09 12:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/07/03 08:21:52 | 000,958,400 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/07/03 08:21:52 | 000,355,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/07/03 08:21:52 | 000,071,064 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/07/03 08:21:51 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/02/29 22:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/03/10 22:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 22:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/08/27 07:07:06 | 007,369,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/08/26 17:11:12 | 000,942,080 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtl8192se.sys -- (rtl8192se)
DRV:64bit: - [2009/07/30 19:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/28 17:24:12 | 000,081,408 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\risdpe64.sys -- (risdpcie)
DRV:64bit: - [2009/07/28 09:10:44 | 000,016,448 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\PMCF.sys -- (PMCF)
DRV:64bit: - [2009/07/24 14:57:08 | 000,482,384 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tos_sps64.sys -- (tos_sps64)
DRV:64bit: - [2009/07/21 13:03:34 | 001,208,320 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009/07/14 14:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/13 17:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 17:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 17:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 17:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 15:36:22 | 000,253,488 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/07/13 15:31:10 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/07/13 13:59:33 | 005,020,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/10 05:45:12 | 000,139,264 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/07/04 18:27:02 | 000,055,808 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rixdpe64.sys -- (rixdpcie)
DRV:64bit: - [2009/07/02 07:54:52 | 000,060,416 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimspe64.sys -- (rimspci)
DRV:64bit: - [2009/06/29 15:16:20 | 000,014,784 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\Thpevm.sys -- (Thpevm)
DRV:64bit: - [2009/06/29 09:25:22 | 000,034,880 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\thpdrv.sys -- (Thpdrv)
DRV:64bit: - [2009/06/22 16:06:38 | 000,035,008 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PGEffect.sys -- (PGEffect)
DRV:64bit: - [2009/06/19 18:15:22 | 000,014,472 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TVALZFL.sys -- (TVALZFL)
DRV:64bit: - [2009/06/10 12:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 12:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 12:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 12:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/04 17:54:36 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/05/22 21:52:30 | 000,215,040 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV - [2009/07/13 17:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {3B7A0D2D-0622-49BA-BBB7-38B3E2A26CB5}
IE:64bit: - HKLM\..\SearchScopes\{3B7A0D2D-0622-49BA-BBB7-38B3E2A26CB5}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKLM\..\SearchScopes,DefaultScope = {D7FA7D00-4E3C-4B8E-851A-E3446BECB6E8}
IE - HKLM\..\SearchScopes\{D7FA7D00-4E3C-4B8E-851A-E3446BECB6E8}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=TSNA
IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\..\SearchScopes,DefaultScope = {D7FA7D00-4E3C-4B8E-851A-E3446BECB6E8}
IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\..\SearchScopes\{D7FA7D00-4E3C-4B8E-851A-E3446BECB6E8}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA_enUS489
IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1683235390-313515724-745283322-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Clare\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Clare\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Clare\AppData\Local\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Clare\AppData\Local\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Clare\AppData\Local\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.140.8 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java(TM) Platform SE 6 U14 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Clare\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\Clare\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Clare\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: avast! WebRep = C:\Users\Clare\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1456_0\
CHR - Extension: Gmail = C:\Users\Clare\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/10 13:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1683235390-313515724-745283322-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\ltmoh.exe (LSI Corp.)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [ThpSrv] C:\windows\SysNative\thpsrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe (Toshiba)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TUSBSleepChargeSrv] C:\Program Files (x86)\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe (TOSHIBA)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1683235390-313515724-745283322-1001..\Run: [pronto] "C:\Program Files (x86)\Blackboard\Blackboard IM\blackboardim.exe" File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.5.1)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 10.5.1)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6CBED51-5350-423E-8678-E4897801E8F3}: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/06 04:26:23 | 000,000,309 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{5c25a8fc-26c6-11e2-8ed8-90e6ba5d623b}\Shell - "" = AutoRun
O33 - MountPoints2\{5c25a8fc-26c6-11e2-8ed8-90e6ba5d623b}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2007/10/22 23:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/08 10:13:34 | 000,000,000 | ---D | C] -- C:\Users\Clare\AppData\Roaming\U3
[2012/11/07 10:25:51 | 000,000,000 | ---D | C] -- C:\MGtools
[2012/11/07 10:17:16 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/11/07 10:16:19 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/11/07 09:57:13 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2012/11/07 09:57:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/11/07 09:27:32 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/11/05 22:55:35 | 000,000,000 | ---D | C] -- C:\Users\Clare\Documents\OneNote Notebooks
[2012/11/04 12:36:08 | 000,000,000 | ---D | C] -- C:\windows\Minidump
[2012/11/04 11:48:37 | 000,000,000 | ---D | C] -- C:\Users\Clare\Desktop\logs and scanners
[2012/10/21 15:13:41 | 000,000,000 | ---D | C] -- C:\Users\Clare\AppData\Roaming\HorizonWimba
[2012/10/21 15:13:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Blackboard
[2012/10/10 21:39:26 | 005,505,904 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntoskrnl.exe
[2012/10/10 21:39:25 | 003,958,128 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntkrnlpa.exe
[2012/10/10 21:39:25 | 003,902,832 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntoskrnl.exe
[2012/10/10 21:39:17 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\kernel32.dll
[2012/10/10 21:39:17 | 000,425,984 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\KernelBase.dll
[2012/10/10 21:39:17 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\conhost.exe
[2012/10/10 21:39:17 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64.dll
[2012/10/10 21:39:17 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\winsrv.dll
[2012/10/10 21:39:17 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\setup16.exe
[2012/10/10 21:39:16 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64win.dll
[2012/10/10 21:39:16 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\ntvdm64.dll
[2012/10/10 21:39:16 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\ntvdm64.dll
[2012/10/10 21:39:16 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wow64cpu.dll
[2012/10/10 21:39:16 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\instnm.exe
[2012/10/10 21:39:16 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 21:39:16 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2012/10/10 21:39:16 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 21:39:16 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2012/10/10 21:39:16 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\wow32.dll
[2012/10/10 21:39:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 21:39:16 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 21:39:16 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2012/10/10 21:39:15 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\windows\SysWow64\user.exe
[2012/10/10 21:39:09 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\wintrust.dll
[2012/10/10 21:38:47 | 001,462,784 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\crypt32.dll
[2012/10/10 21:38:46 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\cryptnet.dll
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/08 11:03:00 | 000,000,898 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/08 09:53:55 | 000,743,352 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/11/08 09:53:55 | 000,636,630 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/11/08 09:53:55 | 000,110,746 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/11/08 09:18:40 | 000,015,792 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/08 09:18:40 | 000,015,792 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/08 09:06:25 | 000,000,894 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/08 09:03:33 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/11/08 09:01:04 | 3192,262,656 | -HS- | M] () -- C:\hiberfil.sys
[2012/11/07 11:56:43 | 000,184,790 | ---- | M] () -- C:\MGlogs.zip
[2012/11/07 09:24:30 | 000,000,000 | ---- | M] () -- C:\Users\Clare\defogger_reenable
[2012/11/05 22:55:35 | 000,001,317 | ---- | M] () -- C:\Users\Clare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/11/02 18:16:54 | 000,000,350 | -H-- | M] () -- C:\windows\tasks\avast! Emergency Update.job
[2012/11/02 18:16:54 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\config.nt
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/07 10:25:53 | 000,184,790 | ---- | C] () -- C:\MGlogs.zip
[2012/11/07 09:24:30 | 000,000,000 | ---- | C] () -- C:\Users\Clare\defogger_reenable
[2012/11/05 22:55:35 | 000,001,317 | ---- | C] () -- C:\Users\Clare\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2012/11/02 18:16:54 | 000,000,350 | -H-- | C] () -- C:\windows\tasks\avast! Emergency Update.job
[2012/06/21 12:11:16 | 000,000,016 | RHS- | C] () -- C:\windows\SysWow64\drivers\fbd.sys
[2012/06/21 12:05:42 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI

========== ZeroAccess Check ==========

[2009/07/13 20:55:00 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 21:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 20:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 17:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 17:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 17:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/10/23 19:00:19 | 000,000,000 | ---D | M] -- C:\Users\Clare\AppData\Roaming\HorizonWimba
[2012/06/21 12:10:44 | 000,000,000 | ---D | M] -- C:\Users\Clare\AppData\Roaming\WinBatch

========== Purity Check ==========



< End of report >
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby calai » November 8th, 2012, 3:34 pm

Extras:

OTL Extras logfile created on: 11/8/2012 11:12:23 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Clare\Desktop\logs and scanners
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 2.81 Gb Available Physical Memory | 70.98% Memory free
7.93 Gb Paging File | 6.68 Gb Available in Paging File | 84.31% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.61 Gb Total Space | 399.35 Gb Free Space | 88.04% Space Free | Partition Type: NTFS
Drive E: | 7.47 Gb Total Space | 0.39 Gb Free Space | 5.21% Space Free | Partition Type: FAT32
Drive F: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: CLARE-PC | User Name: Clare | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00A7FDD7-B511-4FAE-9BDC-9ACB91CE4793}" = lport=10243 | protocol=6 | dir=in | app=system |
"{0DAEF0FE-8B27-43CE-B75B-9AD868EE4726}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{13586AAC-0638-4245-B097-285378D234F8}" = lport=445 | protocol=6 | dir=in | app=system |
"{21B91CFD-FBCD-495B-892D-6D8C9C704C31}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{4F33F0EC-3CB2-4CB1-B6AD-D490A7763F5D}" = lport=137 | protocol=17 | dir=in | app=system |
"{4F5CB35F-242C-443A-90D1-628E39B40D57}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{532B0995-FB4D-43A5-93C9-0782CDB73065}" = lport=139 | protocol=6 | dir=in | app=system |
"{5DEA55BD-2BBB-4315-B725-822484B2BA85}" = rport=137 | protocol=17 | dir=out | app=system |
"{67B2E4F6-FC4F-49BC-8642-ACE493255854}" = rport=10243 | protocol=6 | dir=out | app=system |
"{6A136FD3-E77D-42E6-AFA3-743EABEA2B31}" = lport=2869 | protocol=6 | dir=in | app=system |
"{6F07C5EB-C402-4B8F-B87F-C96FCD2039F9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{8086C7DA-42F4-4942-96BB-B91B304598EC}" = rport=138 | protocol=17 | dir=out | app=system |
"{8855A226-B257-4169-9D0A-503653393982}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\outlook.exe |
"{9008E89C-6903-4043-AB8B-E046E059FEAC}" = lport=138 | protocol=17 | dir=in | app=system |
"{9DFCC55E-A87B-4664-8EF9-8F4A99E3FA40}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{A41752D1-5A0A-459E-A694-CFA7DF94BDE8}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{A8663AE8-805E-4B8C-8157-1D41D6123D9E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{AB246796-02D9-4114-B531-59D3AB359320}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{B016A249-75CC-4BCA-915D-F429DAADC12E}" = rport=445 | protocol=6 | dir=out | app=system |
"{BD5816B4-1DDB-493C-9183-18D95816F492}" = lport=2869 | protocol=6 | dir=in | app=system |
"{BE4EC912-1404-4CAA-940A-8E506C8C1246}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{C530279B-AAB1-4B2F-9E9B-F1FD56408E2E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{D6303457-A533-4054-A981-C42ABE1197BA}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D826C7A5-9D3A-4D41-8420-B6FCACEC3071}" = rport=139 | protocol=6 | dir=out | app=system |
"{DDD95C13-CEA1-42A8-A37F-4E4F7C452873}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F41200F7-15C6-4667-A276-B8D12C78F722}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{059C637F-48CF-492A-B03B-D70D0810B808}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{07E28288-105C-4E5B-890B-CFA7965C01FF}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{0803C091-0CD8-47C0-8A92-4424615A0687}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{0BFC5002-0E9D-4C2E-8649-F3B09CFAF79C}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{0E241E3B-DF14-40E4-B25E-4FECBDF33B27}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{20A1F1BB-73C6-4B01-80EB-1B2AD8F1105E}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{290F572B-CB4D-492F-B17A-B23B16AFBB4A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{305B69DA-4E2A-41EB-948C-9963CFACDCBD}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{36E2AE94-70A8-462F-AF4D-6F2896AD1F5B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |
"{384F2968-1697-4331-B8AE-4020A8DA9321}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{3A8E3F23-5242-4F05-82C7-9AE505593FA9}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{4ED0E8A4-432C-4B0F-B1D6-A1243797BE89}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{509A8F14-CF29-4EDB-B6B7-257FAF6CA38D}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{637E4843-F3C5-4867-A17A-EA39E6885DA8}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{673DBC1C-EA18-44F3-B13A-28360E9103CD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{688D744D-F3D9-4BC4-AF17-0285D3B8C883}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{694DACA9-27C9-410F-9B6C-515F82FA9FE2}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{75E44963-4CDA-4958-8D2A-82257E34B231}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{784A7E67-9C46-4AFC-8030-848883AFF300}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{89BBE133-A90E-4DEE-A8BA-8B78AB642924}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{99E90D11-4B8D-411F-B62A-29B8843F1CF8}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{ABD22878-510E-4D15-9A91-7F96245C17BB}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{B94A8692-FB27-4034-9D7D-8CF8C99C90F9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C2F69941-118A-4948-970F-10BEC5141773}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C7CAA46D-1CCB-40F3-9C05-0B27AA584B54}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{CEAA2B9B-1248-4E8E-A69C-E0DF1067609D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{E3D78090-27AF-4CDD-ACB7-29CD1C56C066}" = protocol=6 | dir=out | app=system |
"{EB07314D-3D07-4EA5-B550-97E8E8EA90D9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{EE1743F4-E6BC-4054-9F71-D8F5B9447B46}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{EFA50CC9-1D8F-4CF0-9818-3F55EFE0A38B}" = dir=in | app=c:\program files (x86)\windows live\messenger\wlcsdk.exe |
"{F7FA5285-685F-4375-9E6F-4650AE420FD5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FA2B7EBA-5397-4A05-B74C-F21606934B06}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1493B2AE-0261-47D2-B1AA-F4DAD0F6C48B}" = iTunes
"{20387B45-18A4-4D48-ABD9-A23D2CBE42B3}" = Dolby Control Center
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}" = Apple Mobile Device Support
"{89F7D66C-777D-473B-AA11-319C0F190EAC}" = TOSHIBA Internal Modem Region Select Utility
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"CCleaner" = CCleaner
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"LTMOH" = LSI V92 MOH Application
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"TOSHIBA Software Modem" = TOSHIBA Software Modem

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}" = MyToshiba
"{022CBB38-CEF0-42BA-906A-A49BEFAE0BEE}" = RICOH R5U230 Media Driver ver.2.06.03.02
"{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1B87C40B-A60B-4EF3-9A68-706CF4B69978}" = TOSHIBA Assist
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 14
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3B843B38-04B1-4CE6-8888-586273E0F289}" = Quickbooks Financial Center
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50F68032-B5B7-4513-9116-C978DBD8F27A}" = DVD MovieFactory for TOSHIBA
"{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = ToshibaRegistration
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = Toshiba Application Installer
"{9FE10246-A876-4979-B345-CADE6863BD8E}" = TOSHIBA Supervisor Password
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Toshiba Online Backup
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{D5D8637D-FA1C-4CAD-91FC-4ADB1C284A21}" = TOSHIBA Hardware Setup
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DA84ECBF-4B79-47F2-B34C-95C38484C058}" = Skype Launcher
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E487EE7D-EAAA-4E2A-9116-E3B477D8A74F}" = TOSHIBA USB Sleep and Charge Utility
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E69992ED-A7F6-406C-9280-1C156417BC49}" = Toshiba Quality Application
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F2004B8D-7791-4B35-A3FA-D8CA8BB4DD81}" = Direct DiscRecorder
"{F3529665-D75E-4D6D-98F0-745C78C68E9B}" = TOSHIBA ConfigFree
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"avast" = avast! Free Antivirus
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}" = TOSHIBA Value Added Package
"InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}" = DVD MovieFactory for TOSHIBA
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{89F7D66C-777D-473B-AA11-319C0F190EAC}" = TOSHIBA Internal Modem Region Select Utility
"InstallShield_{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}" = TOSHIBA eco Utility
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{F2004B8D-7791-4B35-A3FA-D8CA8BB4DD81}" = Direct DiscRecorder
"InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}" = TOSHIBA Face Recognition
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1683235390-313515724-745283322-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 10/11/2012 4:04:53 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3198

Error - 10/11/2012 4:04:53 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3198

Error - 10/11/2012 4:04:54 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/11/2012 4:04:54 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4227

Error - 10/11/2012 4:04:54 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4227

Error - 10/11/2012 4:04:55 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 10/11/2012 4:04:55 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5241

Error - 10/11/2012 4:04:55 AM | Computer Name = Clare-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5241

Error - 10/11/2012 7:07:31 PM | Computer Name = Clare-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 10/14/2012 10:52:15 PM | Computer Name = Clare-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

[ System Events ]
Error - 11/4/2012 3:43:57 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Network
Store Interface Service service to connect.

Error - 11/4/2012 3:43:57 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7000
Description = The Network Store Interface Service service failed to start due to
the following error: %%1053

Error - 11/4/2012 3:44:05 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the AudioSrv service.

Error - 11/4/2012 3:44:06 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the Network Store Interface Service
service which failed to start because of the following error: %%1053

Error - 11/4/2012 3:44:06 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the Network Store Interface Service
service which failed to start because of the following error: %%1053

Error - 11/4/2012 3:44:13 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7001
Description = The Workstation service depends on the Network Store Interface Service
service which failed to start because of the following error: %%1053

Error - 11/4/2012 3:44:14 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Firewall service terminated with service-specific error
%%87.

Error - 11/4/2012 3:44:22 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7001
Description = The IP Helper service depends on the Network Store Interface Service
service which failed to start because of the following error: %%1053

Error - 11/4/2012 3:44:23 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness service depends on the Network Store
Interface Service service which failed to start because of the following error:
%%1053

Error - 11/4/2012 3:44:29 PM | Computer Name = Clare-PC | Source = Service Control Manager | ID = 7023
Description = The Function Discovery Resource Publication service terminated with
the following error: %%-2147024882


< End of report >
calai
Regular Member
 
Posts: 21
Joined: November 4th, 2012, 4:38 am
Top

Re: Rootkit removed, strange computer behavior

Unread postby Gary R » November 8th, 2012, 7:34 pm

No sign of any substantive changes on your machine since the last OTL scan.

I do notice a couple of HitmanPro folders created yesterday. Have you installed HitmanPro?

If you have, I recommend you do not run it. HitmanPro has a poor record, it is unecessarily aggressive, and has created more unbootable machines than any other program I know.

I'd like to have a look at the contents of your Desktop to see if that shows me anything ....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box. (do not include the word Code:)
Code: Select all
dir "%userprofile%\Desktop" /s /c

  • Click the None button to deselect the default scan settings.
  • Click the Run Scan button.
  • OTL will now process the instructions.
  • The scan log will open.
  • Copy/Paste the log in your next reply please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 162 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index