.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-03_17.09.35 )))))))))))))))))))))))))))))))))))))))))
.

• 2009-07-14 04:54 . 2012-08-03 17:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

• 2009-07-14 04:54 . 2012-08-06 14:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

• 2009-07-14 04:54 . 2012-08-03 17:07 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

• 2009-07-14 04:54 . 2012-08-06 14:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

• 2009-07-14 04:54 . 2012-08-03 17:07 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

• 2009-07-14 04:54 . 2012-08-06 14:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
• 2012-08-06 14:40 . 2012-08-06 14:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

• 2012-08-03 17:07 . 2012-08-03 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

• 2012-08-06 14:40 . 2012-08-06 14:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

• 2012-08-03 17:07 . 2012-08-03 17:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

• 2010-05-23 06:55 . 2012-08-04 07:54 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat

• 2010-05-23 06:55 . 2012-08-03 17:07 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4
  .
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  “TOSHIBA Online Product Information”=“c:\program files (x86)\TOSHIBA\Toshiba Online Product Information\topi.exe” [2009-08-12 6203296]
  “Messenger (Yahoo!)”=“c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe” [2010-04-29 5248312]
  “SpybotSD TeaTimer”=“c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe” [2009-03-05 2260480]
  .
  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
  “SVPWUTIL”=“c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe” [2009-08-12 352256]
  “HWSetup”=“c:\program files\TOSHIBA\Utilities\HWSetup.exe” [2009-06-02 423936]
  “KeNotify”=“c:\program files (x86)\TOSHIBA\Utilities\KeNotify.exe” [2009-01-13 34088]
  “TWebCamera”=“c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe” [2009-08-11 2446648]
  “ToshibaServiceStation”=“c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe” [2009-08-17 1294136]
  “hpqSRMon”=“c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe” [2008-07-22 150528]
  “Acrobat Assistant 8.0”=“c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [2007-05-10 624248]
  “Nikon Transfer Monitor”=“c:\program files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe” [2009-09-15 479232]
  “iTunesHelper”=“c:\program files (x86)\iTunes\iTunesHelper.exe” [2010-06-15 141624]
  “HP Software Update”=“c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe” [2010-06-09 49208]
  “avast”=“c:\program files\Alwil Software\Avast5\avastUI.exe” [2012-03-07 4241512]
  “DivXUpdate”=“c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe” [2011-03-21 1230704]
  “QuickTime Task”=“c:\program files (x86)\QuickTime\QTTask.exe” [2010-11-29 421888]
  “ZoneAlarm”=“c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe” [2012-03-19 73360]
  “Adobe Reader Speed Launcher”=“c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2012-03-27 37296]
  “Adobe ARM”=“c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2012-01-02 843712]
  “TkBellExe”=“c:\program files (x86)\real\realplayer\Update\realsched.exe” [2012-06-06 296056]
  “SunJavaUpdateSched”=“c:\program files (x86)\Common Files\Java\Java Update\jusched.exe” [2012-01-18 254696]
  .
  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
  “Malwarebytes Anti-Malware”=“c:\program files (x86)\Malwarebytes’ Anti-Malware\mbamgui.exe” [2012-07-03 462920]
  “Malwarebytes Anti-Malware (cleanup)”=“c:\programdata\Malwarebytes\Malwarebytes’ Anti-Malware\cleanup.dll” [2012-07-03 1085000]
  .
  [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
  “TOSHIBA Online Product Information”=“c:\program files (x86)\TOSHIBA\Toshiba Online Product Information\topi.exe” [2009-08-12 6203296]
  .
  c:\users\nastyhobbit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
  ViiKiiDesktopPlugin.lnk - c:\program files (x86)\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [2012-6-3 142336]
  .
  c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup
  HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
  .
  c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  TRDCReminder.lnk - c:\program files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe [2009-9-1 481184]
  .
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  “ConsentPromptBehaviorAdmin”= 5 (0x5)
  “ConsentPromptBehaviorUser”= 3 (0x3)
  “EnableUIADesktopToggle”= 0 (0x0)

.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
“aux”=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0100804]
IME File REG_SZ WINWB86.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0110804]
IME File REG_SZ WINWB98.IME
.
R1 aswKbd;aswKbd;
R1 aswSnx;aswSnx;
R1 aswSP;aswSP;
R2 aswFsBlk;aswFsBlk;
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-03-07 69976]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2012-03-07 134920]
R2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-08-10 248688]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-07-14 42368]
R2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-22 133104]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2012-03-16 33672]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2012-03-16 827520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-02-10 112080]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-27 251760]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-05-06 583360]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-27 250056]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-12-07 246224]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-22 133104]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-10-12 114304]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 139264]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-19 113120]
R3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-22 35008]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys
R3 TcHardWare;TcHardWare;c:\program files (x86)\Tencent\QQPCMgr\QQPCHW.sys
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-03 137560]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-04 826224]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-19 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-08 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-03-19 12368]
S0 aswNdis2;avast! Firewall Core Firewall Service;
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 69152]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384]
S1 aswFW;avast! TDI Firewall driver;
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-19 14472]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-22 215040]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-07-02 1111144]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
vvdsvc REG_MULTI_SZ vvdsvc
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the ‘Scheduled Tasks’ folder
.
2012-08-04 c:\windows\Tasks\Adobe Flash Player Updater.job

• c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 05:46]
  .
  2012-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
• c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-22 13:57]
  .
  2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
• c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-22 13:57]
  .
  2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82272957-440506184-4160906393-1000Core.job
• c:\users\nastyhobbit\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-25 17:13]
  .
  2012-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-82272957-440506184-4160906393-1000UA.job
• c:\users\nastyhobbit\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-25 17:13]
  .
  .
  --------- X64 Entries -----------
  .
  .
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
  @=“{472083B0-C522-11CF-8763-00608CC02F24}”
  [HKEY_CLASSES_ROOT\CLSID{472083B0-C522-11CF-8763-00608CC02F24}]
  2012-03-07 00:15 135408 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
  .
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  “TosSENotify”=“c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe” [2009-08-03 709976]
  “Toshiba TEMPRO”=“c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe” [2011-02-10 1546720]
  “TosNC”=“c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe” [BU]
  “TosReelTimeMonitor”=“c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe” [BU]
  “IgfxTray”=“c:\windows\system32\igfxtray.exe” [2009-09-02 165912]
  “HotKeysCmds”=“c:\windows\system32\hkcmd.exe” [2009-09-02 387608]
  “Persistence”=“c:\windows\system32\igfxpers.exe” [2009-09-02 365592]
  “SmoothView”=“c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe” [BU]
  “TPwrMain”=“c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE” [BU]
  “00TCrdMain”=“c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe” [BU]
  “RtHDVCpl”=“c:\program files\Realtek\Audio\HDA\RAVCpl64.exe” [2009-07-28 7982112]
  “SynTPEnh”=“c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe” [BU]
  “SmartFaceVWatcher”=“c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe” [BU]
  “Teco”=“c:\program files (x86)\TOSHIBA\TECO\Teco.exe” [BU]
  “TosWaitSrv”=“c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe” [BU]
  “Toshiba Registration”=“c:\program files\Toshiba\Registration\ToshibaReminder.exe” [2009-07-30 134032]
  “ISW”=“c:\program files\CheckPoint\ZAForceField\ForceField.exe” [2012-03-16 1126528]

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEH&bmod=TSEH
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\nastyhobbit\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
TCP: DhcpNameServer = 121.1.3.82 121.1.3.20 121.1.3.250
TCP: Interfaces{4B40AF2A-DAFA-4449-AC4E-487F54A93CE1}: NameServer = 202.126.40.5 222.127.143.5
FF - ProfilePath - c:\users\nastyhobbit\AppData\Roaming\Mozilla\Firefox\Profiles\irygqewh.default
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

• • • • ORPHANS REMOVED - - - -
        .
        WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
        .
        .
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}]
        @Denied: (A 2) (Everyone)
        @=“FlashBroker”
        “LocalizedString”=“@c:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe,-101”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
        “Enabled”=dword:00000001
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
        @=“c:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
        @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}]
        @Denied: (A 2) (Everyone)
        @=“Shockwave Flash Object”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
        @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_11_3_300_268.ocx”
        “ThreadingModel”=“Apartment”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
        @=“0”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
        @=“ShockwaveFlash.ShockwaveFlash.11”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
        @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_11_3_300_268.ocx, 1”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
        @=“{D27CDB6B-AE6D-11cf-96B8-444553540000}”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
        @=“1.0”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
        @=“ShockwaveFlash.ShockwaveFlash”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}]
        @Denied: (A 2) (Everyone)
        @=“Macromedia Flash Factory Object”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
        @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_11_3_300_268.ocx”
        “ThreadingModel”=“Apartment”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
        @=“FlashFactory.FlashFactory.1”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
        @=“c:\Windows\SysWOW64\Macromed\Flash\Flash32_11_3_300_268.ocx, 1”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
        @=“{D27CDB6B-AE6D-11cf-96B8-444553540000}”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
        @=“1.0”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
        @=“FlashFactory.FlashFactory”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
        @Denied: (A 2) (Everyone)
        @=“IFlashBroker4”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
        @=“{00020424-0000-0000-C000-000000000046}”
        .
        [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
        @=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
        “Version”=“1.0”
        .
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        “BlindDial”=dword:00000000
        .
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        “BlindDial”=dword:00000000
        .
        [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
        @Denied: (Full) (Everyone)
        .
        Completion time: 2012-08-06 16:55:37 - machine was rebooted
        ComboFix-quarantined-files.txt 2012-08-06 14:55
        ComboFix2.txt 2012-08-03 17:22
        .
        Pre-Run: 30,370,213,888 bytes free
        Post-Run: 30,495,707,136 bytes free
        .
• • End Of File - - 96EEF4442E4910ED43E17F8FECB69110

Re: Ad-Aware
I guess I was too naive in thinking that when I clicked the “Uninstall” option for Ad-Aware, it really would uninstall itself. The screen said it would complete uninstall after a PC restart. And so I did that. But I didn’t check afterwards if it was still there or not. And now that Combofix said it was running, I checked and Ad-Aware was still in my computer! Turns out, it can’t uninstall in Safe Mode. So I did some googling to find a solution. Turns out, other users of Ad-Aware also wanted to remove it but couldn’t do it in safe mode, so they need some additional file from Ad-Aware tech support for uninstall to work in safe mode. I downloaded said file and finally I have uninstalled Ad-Aware from my computer.

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Attach that log as a reply to this topic

Malwarebytes log: (also attached)

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.06.13

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
nastyhobbit :: NASTY_HOBBIT [administrator]

8/7/2012 5:33:20 AM
mbam-log-2012-08-07 (05-33-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214087
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

===========================

ESET Scan log also attached.

Hi,

Looking much better!

Go to the following file and delete it C:\Users\nastyhobbit\Downloads\setup.exe<--------------

Let me know how your system is running now.

I deleted the file and restarted in normal mode, but it wouldn’t start up completely. I see the Windows 7 logo “Starting Windows”… then the user password screen appears as usual, but after that the screen turns to black for a long time and that’s it. Same as before.

So I restarted the computer in safe mode with networking again. And it still starts in safe mode with networking. I’m scanning the computer with avast now. I’ll tell you how it goes when it’s finished.

So I finished the avast scan (I attached the avast scan log) and got the same result. The DLL file still infected with some rootkit. And I still can’t successfully boot in normal mode.

I also did a boot-time scan afterwards. The result of the boot-time scan:
08/07/2012 18:29
Scan of all local drives

File Volume{44b9dd6a-65ac-11df-9dee-806e6f6e6963}\Boot\BOOTSTAT.DAT Error 0xC000003E {Data Error}
Number of searched folders: 37769
Number of tested files: 228022
Number of infected files: 0

Why doesn’t the boot-time scan detect the rootkit?

I can’t attach the log because it’s too big. Anyway, so is the rootkit causing my computer’s boot problem? Or are they two separate issues altogether?

Hi,

See if you can run the instructions for FRST again. If you are able to do so, please attach the log that is created.

No luck when running FRST from the flashdrive again. It’s the same as before. After “Windows is loading files”, the blue/white screen appears and after a while I get the error message:
System Recovery Options
Installed program cannot start. Click OK to turn off the computer.

Hi,

I don’t think that these are necessarily related. As a precaution I would begin to backup all your data immediately as you may have a failing hard drive and that is what is throwing the Error 0xC000003E. :-\

Yeah I already backed up my files. So do you think it’s better if I just reformat my hard drive? I mean, the rootkit and the boot problems will disappear if I reformat my computer? I could do that. And this time, I won’t be installing Ad-Aware.

Well…anytime that I might find a rootkit I (myself) would just format the hard drive, but that is just my opinion. It will certainly remove any remaining malware and give you a fresh Windows platform. Just let me know what you want to do.

Okay I’ll probably just do that. Thanks. So is it okay if I reset the computer to factory settings, or is it better to reformat with a Windows 7 installer?

And for next time, how do I avoid getting my computer infected with rootkits again? This was the first time I heard about this, to be honest.

In my opinion it is always better to do a full reinstall when you get a rootkit on your system.

how do I avoid getting my computer infected with rootkits again?