TechSpot

After System Check clean-up - cannot find 6924636.exe

By SBV
Jan 22, 2012
  1. I somehow managed to get the System Clean virus on my computer a few days ago (Damn them!). I think I've managed to clean it and get it off - except I now get a pop-up window when I turn my computer on which says 'Windows Cannot Find 6924636.exe' (it also brings a box which has _uninst_23372510 at the top. When I click 'ok' they both go.

    Obviously it's annoying and I want to get rid of it - and make sure it's not part of the virus left on. I've done virus scans and nothing else is coming up. I got all the other System Check bits off. I tried googling for 'the 'Windows Cannot Find .exe' and found lots of other topics for when a program had changed all the .exe's. I then followed one advice and downloaded Panda's antivirus - it then changed ALL my .exe files so none would open. I managed to then find a fix and got the .exe's back working - but still this 6924636.exe pop-up window shows when I start the computer. The numbers make me think it's something to do with the virus. I have tried searching for it but it doesn't come up anywhere. So how do I stop this from appearing?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    And you want to find this file 6924636.exe- why? You're assuming it's a legitimate file that's missing, correct? Not necessarily true.

    It means that something is on Startup that is trying to get you to download this file. It does NOT mean you need the file or that it's a legitimate file. Whatever it is is tempting you to do look for this .exe file and get it. So- what if it's malware? What if this file will infect more of your system?

    One thing you do not do is go looking for random fixes. Nor should you check OK to _uninst_23372510 when you don't know what it's doing.
    ====================================
    For the record, this thread is the only site that comes up when I look for either 6964636.exe or _uninst_23372510. That's pretty much a giveaway that it's malware related. So we need to find the malware.
    ================================
    Since I didn't assist you in removing what may have been System Check, I will make 2 suggestions:
    First: Click on Start> Run Type in msconfig> Enter> Start up tab> Do you see any entry on the left that matches 6924636.exe? Do you see any entry that you don't recognize? If the latter, expand the Command section by holding left mouse down on line on frame between Command and Location and move to the right.

    If you see anything you can't identify, make it down somewhere and do an online search to ID it. DON'T download it just because you see it advertised from a site. That one of the ways malware gets on a system.

    Second: Run these scans here so I can see what's on the system:
    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    =================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. SBV

    SBV TS Rookie Topic Starter

    Thank you for the quick reply.

    I never said I wanted to find it (and definitely not run it) - I just said I wanted to get rid of it!

    I know it may be part of the virus - this is why I want to get rid of it.

    Thanks for the suggestions. I have gone to Start > Run > Misconfig >

    On the startup list, it does show _uninst_23372510

    The command says it's coming from \AppData\Local\Temp\_UNINS~1.BAT

    Should I just go into AppData and delete that? What should I do? (I'm a bit crap when it comes to computer related problems)

    Where do we find the logs that we have to post?
     
  4. SBV

    SBV TS Rookie Topic Starter

    There also appears to be gfUomFNvRQL.exe in the startup - which I also assume is part of the virus. How come when I run Malwarebytes it says there's no malware showing? It deleted a few items last week when I first found it.

    System Check doesn't start up or anything.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You run the scan in the blue link. Each scan produces a log (DDS has 2 logs) You them past those logs into your next reply.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    Leave the entry you found on Startup. We still don't know what it's for.

    Regarding this:
    Pay good attention- I will help you learn more!
     
  6. SBV

    SBV TS Rookie Topic Starter

    Thanks. I uninstalled AVG and got rid of the Panda Cleaner and downloaded Microsoft Security Essentials and did the Quick Scan. Here are the logs:

    Malwarebytes:

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421

    22/01/2012 7:53:09 pm
    mbam-log-2012-01-22 (19-53-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 238099
    Time elapsed: 55 minute(s), 56 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)



    GMER LOG:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-22 21:02:46
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
    Running: g0lo314p.exe; Driver: C:\Users\SHARIB~1\AppData\Local\Temp\kfddypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS TXT LOG:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
    Run by ShariBlackVelvet at 21:06:42 on 2012-01-22
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1511 [GMT 0:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Windows\system32\IoctlSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Toshiba TEMPRO\TemproTray.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Common Files\AOL\1287764634\ee\aolsoftware.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
    C:\Program Files\Common Files\AOL\1287764634\ee\aolsoftware.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\ShariBlackVelvet\Desktop\g0lo314p.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
    mRun: [Toshiba TEMPO] c:\program files\toshiba tempro\Toshiba.Tempo.UI.TrayApplication.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
    mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
    mRun: [Skytel] Skytel.exe
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [HostManager] c:\program files\common files\aol\1287764634\ee\AOLSoftware.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [QuickTime Plugin Install] c:\program files\quicktime\plugins\DeleteMe1.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
    mRun: [Google EULA Launcher] c:\program files\google\google eula\GoogleEULALauncher.exe IE PA
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\aoldes~1.lnk - c:\program files\common files\aol\1287764634\ee\aolsoftware.exe
    StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
    IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A} : NameServer = 192.168.1.1
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\picasa2\npPicasa3.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\shariblackvelvet\appdata\roaming\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\users\shariblackvelvet\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-2 64512]
    R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-6-9 20352]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl6299086f;MpKsl6299086f;c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\MpKsl6299086f.sys [2012-1-22 29904]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-4-21 116104]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-1 7168]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-6-9 937984]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-01-22 19:40:56 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\offreg.dll
    2012-01-22 19:40:56 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\MpKsl6299086f.sys
    2012-01-22 19:32:17 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1545967a-82c4-4793-b821-b094890f36e0}\gapaengine.dll
    2012-01-22 19:31:54 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\mpengine.dll
    2012-01-22 19:21:12 -------- d-----w- c:\program files\Microsoft Security Client
    2012-01-22 19:20:12 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-01-22 15:47:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{53D74D6C-88CC-46DA-9546-3BEF15BF963C}
    2012-01-22 15:47:08 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3F53012E-F14F-4B8C-9155-03402D752C1B}
    2012-01-21 22:32:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C2C8570B-1184-4B85-A9C7-BDC58ACB08E3}
    2012-01-21 22:32:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9FA5FB70-B5EE-4867-99A9-6B829532A02D}
    2012-01-21 22:32:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{36E5AA70-6740-404B-B169-02C7D43DDABB}
    2012-01-21 22:32:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7827AF63-D31B-47B2-83FA-6E692D53DAF7}
    2012-01-21 10:31:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C72025E9-D6F9-4503-870F-31712928B1D9}
    2012-01-21 10:31:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{01E2A91E-B125-4B5E-9828-DF06AC94F7BC}
    2012-01-20 15:49:14 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3821DA62-CCC7-4238-9EDF-1A411124955F}
    2012-01-20 15:49:04 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{584B6187-904D-47B9-B9FF-4A53D382F895}
    2012-01-19 20:24:23 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5E36AF94-1174-42BE-B4A5-2EE6003DAB40}
    2012-01-19 20:24:13 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{38A0CD74-9C00-4EA3-BCDD-D1F43FEE918E}
    2012-01-19 20:24:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9FD28A24-3CAB-4A93-A980-28660C32B038}
    2012-01-19 20:23:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{58DC4FF8-696F-4110-801C-8C6FDF78B176}
    2012-01-19 17:49:41 -------- d-----w- c:\program files\Panda Security
    2012-01-19 08:23:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B018732F-DDFF-4C9B-A1C0-2B416C761E15}
    2012-01-19 08:23:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E32EFEC9-D0ED-402B-BC84-70594B9C3B8E}
    2012-01-19 08:22:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3906C031-DDC7-450C-A5B2-66B70D259DA9}
    2012-01-19 08:22:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B68F3ABE-995E-42F3-A483-FBA91326942F}
    2012-01-18 20:22:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{324F9DF9-7B6A-4652-9283-1BE583D9466A}
    2012-01-18 20:22:11 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{87AAC18E-7B3C-49B5-A354-6084BCA6137F}
    2012-01-18 19:52:42 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{28d0e58b-d0bf-447b-bf43-22d064460452}\mpengine.dll
    2012-01-18 16:57:37 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 16:57:36 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 16:57:35 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-18 16:57:35 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 16:57:35 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-18 16:57:35 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 08:18:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{737A210E-1AEE-4A98-A6E6-FAC688F5F70B}
    2012-01-18 08:18:44 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{91EC7AFA-6396-4384-8FF7-515AC6FFD803}
    2012-01-18 08:18:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B5C3E514-1E2D-4409-8092-0980EC5C6F6E}
    2012-01-18 08:18:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9900F514-B827-4C60-881F-E5A6F870AE0F}
    2012-01-17 20:17:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{30E415F8-B024-4CD7-AB3C-C0C2638DD221}
    2012-01-17 20:17:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{26E07204-AB28-4F0C-97FD-6397DD7FAAAC}
    2012-01-17 19:13:23 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-01-17 07:50:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A9CC87D8-1286-4520-AA9A-2ED7E69C323A}
    2012-01-17 07:50:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4980347A-CBD9-4459-B05C-A736F59E5C54}
    2012-01-17 07:49:58 -------- d-----w- c:\users\shariblackvelvet\appdata\local\dbMobileInit
    2012-01-16 15:20:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FB9B9C1D-39C5-4384-9346-7940E75E853B}
    2012-01-16 15:20:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E63320BC-A614-417E-8ADA-4D5EE70B14C3}
    2012-01-16 15:20:07 -------- d-----w- c:\users\shariblackvelvet\appdata\local\QuickGL.NET
    2012-01-16 07:47:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\AppleHelp64
    2012-01-16 03:00:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A6C3816F-812A-4CD3-A700-8756BEAA473B}
    2012-01-16 03:00:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{CED94EBA-94DF-40F5-8F12-A7B3BAFEC13E}
    2012-01-15 14:59:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0740BBF3-0946-4BDC-84BB-562B11766367}
    2012-01-15 14:57:47 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{99F5A107-EC88-49C4-88F2-0DBDA9387FFF}
    2012-01-15 14:57:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{2B7F77EA-7E7C-4143-AC7C-9A635CD5D277}
    2012-01-15 14:57:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{51822A4F-C133-4AA8-A940-3FACAFE742C6}
    2012-01-14 22:08:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7ACE9507-8C77-4BC3-9FEE-8BF42788EEFF}
    2012-01-14 22:08:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1E748363-558E-4EA7-B808-5E0E18DC3D46}
    2012-01-14 22:08:21 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FFD44CAB-6BA3-478F-A7D2-50469260F313}
    2012-01-14 22:08:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1A072029-0B6D-4543-BAD3-3680D27E0123}
    2012-01-14 10:07:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{36D74619-9610-4186-8818-CF237F6AAB7E}
    2012-01-14 10:07:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3B7CEEE8-0E31-4E1A-964D-2A2A352F10DA}
    2012-01-13 15:50:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E65C8C9-77D8-4407-B7B8-4B197A11E0B1}
    2012-01-13 15:50:05 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4EA451CE-ACF5-4E5D-B21E-78B1F2621476}
    2012-01-12 19:54:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BFE4D8E3-CB17-453F-A8C8-DB38B5F0CD40}
    2012-01-12 19:54:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C8A813C2-D8B3-4623-AEC2-66896B345357}
    2012-01-12 19:54:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5E90CD99-CAFE-4FF9-9101-6D6F8841D3EF}
    2012-01-12 19:54:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D2A73B7B-2D52-4807-99A0-24D057C4829D}
    2012-01-12 07:53:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{67053AFF-9CB0-4758-A484-F6720F558D01}
    2012-01-12 07:53:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1F1DF292-7BE2-4DC7-9EC0-3E7322833111}
    2012-01-12 07:53:14 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A915025E-E84A-4599-B5D3-A94856461750}
    2012-01-12 07:53:00 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7BEE6133-02B6-4E50-A85C-C6DB50636036}
    2012-01-11 19:52:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5FE07F5A-6156-451A-A647-69222796D352}
    2012-01-11 19:52:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{767C58FC-6FD8-4C4C-A4AA-EC1CC19CC001}
    2012-01-11 19:52:06 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7F509DF4-28D1-461D-AEFD-3D83130B5C10}
    2012-01-11 19:51:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7516BB9B-4258-4E1E-8792-F433E60D68DC}
    2012-01-11 19:13:38 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 19:13:38 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-11 19:13:35 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 19:13:33 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 19:13:32 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-11 19:13:31 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-01-11 19:13:18 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 19:13:18 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 07:51:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4E4321B9-7A95-4E0A-925F-05E2AED2511D}
    2012-01-11 07:51:15 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{71CB32F4-CED7-43FA-9101-24752F76568A}
    2012-01-10 19:50:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1B9D4E05-DB7A-4295-822C-1B8B63B1C783}
    2012-01-10 19:50:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6FD86E27-A448-4EDF-A012-7C8138FE4B3F}
    2012-01-10 19:50:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{CC475545-867F-431A-A035-692A53507C46}
    2012-01-10 19:50:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{25184834-8194-4DAE-A124-4AEA70A2B47C}
    2012-01-10 07:49:55 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0F25ABCE-6C49-48A6-AF0E-3F3A7DBD339D}
    2012-01-10 07:49:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7049BF41-516C-4941-9DBE-B90850FA42C3}
    2012-01-09 19:48:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D439DBB2-36D2-4B1B-B35A-7837FFDB4D47}
    2012-01-09 19:48:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{43F8282E-8CCF-4E09-B29E-A455EAF7DCFD}
    2012-01-09 07:47:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FD71D796-961F-4CFC-B264-A69C6602F1BA}
    2012-01-09 07:47:42 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{43892745-C074-40F8-99BB-32486F204EEB}
    2012-01-08 15:49:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6E4A398E-E033-4278-86B5-04020306EAD0}
    2012-01-08 15:49:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D9F2964-4297-4337-8A15-168384FD37A6}
    2012-01-07 17:24:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3B093EE1-6B83-4FD0-858E-514066B144CF}
    2012-01-07 17:24:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C15D5155-A7B0-4409-8979-6C9B7E03CD6B}
    2012-01-07 17:24:15 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BC859FCF-5705-4495-BDC1-8933A6807D20}
    2012-01-07 17:24:03 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{8EF038F4-4BF2-4EE3-B240-3F58ABA9ABFD}
    2012-01-07 16:32:57 774144 ----a-w- c:\windows\system32\htmlayout.dll
    2012-01-07 16:32:57 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
    2012-01-07 16:32:57 1003008 ----a-w- c:\windows\system32\libeay32.dll
    2012-01-07 05:23:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{8F95A61C-43E8-487A-8BB3-81C2AA2A0E79}
    2012-01-07 05:22:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{34032A14-99FB-4FEB-A221-88F93EBD71E1}
    2012-01-07 05:22:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D06BC12B-3D32-4E31-B400-AC4C755413D0}
    2012-01-07 05:22:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BBD4D5A5-B563-474D-8163-3DE4B932EC13}
    2012-01-07 04:56:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B4CC4388-5C0F-4F2F-A58B-2DCE042808C4}
    2012-01-07 04:38:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{82FB21FA-63F5-4B77-A721-7EAA4A439F8A}
    2012-01-07 04:33:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{77FCB351-C23D-4630-8B8B-BE2F2CA809F9}
    2012-01-07 04:25:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B3D785CB-AF0F-42AC-80F5-375B837194EF}
    2012-01-07 03:54:01 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9B44C6D0-D81C-46FB-B521-81D5FB6647EC}
    2012-01-07 03:14:59 -------- d-----w- c:\program files\DriverTuner
    2012-01-07 02:45:36 -------- d-----w- c:\program files\WinZip(156)
    2012-01-06 15:53:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D85C2C5F-48CC-4B53-8505-7E8B31112EB1}
    2012-01-06 15:53:21 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E3F2264-B200-478F-A0EF-08A5FE6CF65E}
    2012-01-05 19:53:39 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E84F77A-783E-4963-BCA9-571AABF32CFD}
    2012-01-05 19:53:30 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7BD64C57-731E-455C-B393-4E4E8B12AF5A}
    2012-01-05 19:53:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F824848C-EA94-4E83-9363-130B4215C93A}
    2012-01-05 19:53:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3DC01E2F-34F0-4914-8682-11F2D9AB0FA0}
    2012-01-05 07:52:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DFDD7D63-797A-4552-B036-32BF654AD273}
    2012-01-05 07:52:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FF110B2B-E48A-457D-8378-5445FF8B6AA5}
    2012-01-05 07:52:26 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9B4B18E4-989B-4C45-90DA-DF427277EDF5}
    2012-01-05 07:52:16 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7692FD85-EEB8-4E85-BB2A-99F18AFBE675}
    2012-01-04 19:51:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4DAD05D3-0CD8-4631-92C4-BB8A064882A5}
    2012-01-04 19:51:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D82AB3D3-70C5-467D-B6F7-EBB9DE333C54}
    2012-01-04 19:51:30 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{66FC5418-1594-4390-8825-9C88796CE13E}
    2012-01-04 19:51:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0E897A90-20A0-4855-8AD4-022A8C3787A6}
    2012-01-04 07:50:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{241B0EAC-7B5D-4E63-8012-0FE02AD339D5}
    2012-01-04 07:50:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{433C3B9A-818E-4B24-8F07-F6B03C362F79}
    2012-01-03 16:16:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1FB91562-F9D9-41B0-BBE9-8F92372AEAF0}
    2012-01-03 16:16:00 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{491B70E5-9AFF-4374-9E50-4FF5B7176604}
    2012-01-03 16:15:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DA62B758-B506-4DA2-AF34-0F320421629C}
    2012-01-03 16:15:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{645DA7FB-2056-4997-AF70-705CE5076320}
    2012-01-03 04:14:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{64C88A22-341F-4622-B64A-DEC85B7294BC}
    2012-01-03 04:14:23 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3FA331D0-99AB-4B30-8082-93ECC5E744DD}
    2012-01-03 04:14:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9F4C599D-A355-41B2-BBC5-75101EE2F3D1}
    2012-01-03 04:13:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E239FCAE-29E4-4DFD-A778-13DD616AD23D}
    2012-01-02 15:50:07 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FEF72B63-2AF8-4821-8034-963EEA15CDAD}
    2012-01-02 15:49:57 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F470585E-BDCA-412C-B844-C5EA40D0FE9F}
    2012-01-02 03:48:44 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F1BC9253-D74E-48DA-B8F0-9922ACD5B32A}
    2012-01-02 03:48:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{83782D6F-E6E4-48EA-81DB-693F42EBEDE9}
    2012-01-01 15:48:19 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B2B303F7-E077-4BFE-AED4-30FF4A011F98}
    2012-01-01 15:48:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5213736C-8259-44E1-AC66-5E45308B03A1}
    2011-12-31 15:49:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D48FDBC-F362-4EA1-B9F8-97EBCF369F64}
    2011-12-31 15:48:52 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6B3D82E9-10CD-41FD-866C-0958E4F52B3F}
    2011-12-30 21:01:06 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BD81F659-B3B5-4632-8FED-0B055C825082}
    2011-12-30 21:00:56 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F24F9460-5F29-40A8-B234-B91732B4B79F}
    2011-12-30 21:00:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A0FFA13D-4E9F-41B3-95FA-373135106D0C}
    2011-12-30 21:00:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{34897425-17F1-4B7F-843D-F9A520D9A5B9}
    2011-12-30 09:06:28 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2011-12-30 09:06:28 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2011-12-30 09:06:28 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2011-12-30 09:06:28 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2011-12-30 09:00:08 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D5D9E17-F2F3-4499-B0A8-B79E866AE8CC}
    2011-12-30 08:59:57 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0CB6AF68-72E3-4C84-84AA-98BDDC69A089}
    2011-12-30 08:59:11 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9CA9E838-81DC-46D6-AE88-E9D4CE44BA03}
    2011-12-30 08:58:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B35C50DF-9186-4F5E-B33B-B15E624E58DC}
    2011-12-29 15:50:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4EF2C0AD-C7F8-4272-9E9E-34010DA3CB5B}
    2011-12-29 15:50:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{2033FB4A-4204-4222-A21A-3FEAA751BA34}
    2011-12-29 15:50:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1F1767DC-8620-4D06-8228-24F042C76A50}
    2011-12-29 15:50:16 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D65533E-895A-4097-9FC2-1904B6F87888}
    2011-12-29 03:49:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EF9EFC09-E612-484C-9DB2-D0B15CD30AF7}
    2011-12-29 03:49:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1A464804-9178-43E1-9E37-866E61B5D7E7}
    2011-12-29 03:49:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FB3504F6-0CC7-4CAE-B261-95669DD86B9C}
    2011-12-29 03:49:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3C2C8A93-0429-4604-8BAD-1E70183DD96B}
    2011-12-28 15:49:04 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E4E817CD-9418-4F0B-BB66-520315660075}
    2011-12-28 15:48:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4BC33885-01E7-43D3-9853-8952EB141713}
    2011-12-28 03:48:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BAA004AD-F1DC-42AF-A654-C54A584D80F0}
    2011-12-28 03:48:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EB065061-98BF-4409-8B1A-0A289235537D}
    2011-12-28 03:48:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{755F529A-188E-45EA-BD63-A9E6B41CD7DA}
    2011-12-28 03:47:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BE1EB036-A0DE-4F86-BB62-9B43E4C60AFF}
    2011-12-27 15:47:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{14AADC71-E5E5-468D-A3BD-FB951F1B3950}
    2011-12-27 15:47:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6B5F150B-289E-4504-9A78-5B2E7456744F}
    2011-12-27 03:38:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{77787F8E-BECA-4F15-81EB-F2EE051E8D02}
    2011-12-27 03:38:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DE7CC7D1-7D3A-424A-860F-296CD284A281}
    2011-12-27 03:37:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F340BA1B-0405-43CE-AB9D-8AACC219F982}
    2011-12-27 03:37:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3284E2A4-79F7-4FF0-B5D7-C70B058E6D50}
    2011-12-26 15:37:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1FE705F6-B9CF-44DE-AB33-B8B7A1F6E442}
    2011-12-26 15:37:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{521E1C01-400A-4A0C-9CA6-17BF13531471}
    2011-12-26 02:34:56 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EC7E20F2-04CE-421B-990F-01D860909F2F}
    2011-12-26 02:34:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{70CC13BA-90A6-400F-9468-1B54B0E70E00}
    2011-12-26 02:34:37 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{30CC495F-3DE4-4811-B76B-066668135934}
    2011-12-26 02:34:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BF4C1009-6504-4441-9651-46088312B5BF}
    2011-12-25 14:34:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{50F905C5-31D2-4273-9D4F-711DDE86F73D}
    2011-12-25 14:33:52 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{080702AE-00D3-4AD6-9D9D-7F1405709299}
    2011-12-24 15:53:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A8704FDC-E3EB-457D-BFFD-E4C8CF72B12B}
    2011-12-24 15:52:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C61BB952-BF48-4A59-9BC8-1196B993F0B7}
    2011-12-24 15:52:47 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0AB4E894-4BEB-4A74-BED3-D9993121F24E}
    2011-12-24 15:52:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A668195D-2DCB-443A-BD17-B833D105F89D}
    2011-12-24 03:52:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C297692D-5FA5-46A4-A23A-4F6ABB50B163}
    2011-12-24 03:51:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EA856AF0-04BA-4F30-B161-1981B6418CFD}
    2011-12-24 03:51:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4CD58ECE-1866-4952-826B-6A23225796E6}
    2011-12-24 03:51:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E922DBAC-C2A5-4A08-900D-88C2AE753409}
    .
    ==================== Find3M ====================
    .
    2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-17 07:53:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
    .
    ============= FINISH: 21:07:38.77 ===============
     
  7. SBV

    SBV TS Rookie Topic Starter

    ATTACH TXT FILE (Does everyone really need to see all the programs I have?!)

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume2
    Install Date: 09/06/2009 5:54:39 pm
    System Uptime: 22/01/2012 7:24:46 pm (2 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 1333/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 57.767 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 148 GiB total, 110.887 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Atheros AR9281 Wireless Network Adapter
    Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_7141144F&REV_01\4&3388DB6&0&00E1
    Manufacturer: Atheros Communications Inc.
    Name: Atheros AR9281 Wireless Network Adapter
    PNP Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_7141144F&REV_01\4&3388DB6&0&00E1
    Service: athr
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Ad-Aware
    Add or Remove Adobe Creative Suite 3 Master Collection
    AHV content for Acrobat and Flash
    AOL Mail and AIM Gadget
    AOL Registration
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian FLV Player
    Atheros Driver Installation Program
    Atheros Wi-Fi Protected Setup Library
    AVS Audio Converter 7
    AVS Audio Editor 7.1
    AVS Audio Recorder version 4.0
    AVS Cover Editor 2.0.1.3
    AVS Disc Creator 5
    AVS Document Converter 2.1.2
    AVS DVD Copy version 4.1.2
    AVS Image Converter 2.1.2.169
    AVS Media Player 4.1.8.93
    AVS Photo Editor
    AVS Registry Cleaner version 2.2
    AVS Ringtone Maker version 1.6
    AVS Screen Capture version 2.0.1
    AVS Update Manager 1.0
    AVS Video Converter 8
    AVS Video Editor 6
    AVS Video Recorder 2.4
    AVS Video ReMaker 4.0.8.140
    AVS4YOU Software Navigator 1.4
    Bluetooth Stack for Windows by Toshiba
    Camera Assistant Software for Toshiba
    CD/DVD Drive Acoustic Silencer
    Compatibility Pack for the 2007 Office system
    D3DX10
    Download Updater (AOL LLC)
    Facebook Plug-In
    File Uploader
    FYZip 1.00
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet 1050 J410 series Basic Device Software
    HP Deskjet 1050 J410 series Help
    HP Deskjet 1050 J410 series Product Improvement Study
    HP Photo Creations
    HP Update
    ImageMixer 3 SE
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Ipswitch WS_FTP Professional 2006
    Java Auto Updater
    Java(TM) 6 Update 24
    Junk Mail filter update
    Learn2 Player (Uninstall Only)
    MagicDisc 2.7.106
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Default Manager
    Microsoft Office File Validation Add-In
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook Connector
    Microsoft Office Professional Edition 2003
    Microsoft Office Visio Standard 2003
    Microsoft Search Enhancement Pack
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 9.0.1 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    ODF Add-in for Microsoft Office
    OGA Notifier 2.0.0048.0
    PDF Settings
    Picasa 3
    Play MPE Player 4.0
    Presto! BizCard5 SE
    QuickTime
    RAR File Open Knife - Free Opener
    RealPlayer Basic
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
    Samsung PC Studio 3
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Segoe UI
    Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    Skype™ 5.0
    Spotify
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA Manuals
    Toshiba Online Product Information
    TOSHIBA Recovery Disc Creator
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Supervisor Password
    Toshiba TEMPRO
    TOSHIBA Value Added Package
    TRDCReminder
    TRORDCLauncher
    Uninstall AOL Emergency Connect Utility 1.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    VCRedistSetup
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.5
    Winamp
    Winamp Detector Plug-in
    Windows 7 Upgrade Advisor
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    WinZip
    Xvid 1.2.1 final uninstall
    Zero Assumption Recovery Version 8.4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    22/01/2012 7:27:04 pm, Error: Service Control Manager [7000] - The TOSHIBA Bluetooth Service service failed to start due to the following error: The system cannot find the file specified.
    22/01/2012 7:23:38 pm, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    20/01/2012 3:50:51 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
    20/01/2012 3:50:51 pm, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    20/01/2012 3:50:51 pm, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
    18/01/2012 5:21:16 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Agere Modem Call Progress Audio service to connect.
    18/01/2012 5:21:16 pm, Error: Service Control Manager [7000] - The Agere Modem Call Progress Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    17/01/2012 3:45:52 pm, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    17/01/2012 3:44:46 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the FLEXnet Licensing Service service to connect.
    17/01/2012 3:44:46 pm, Error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    17/01/2012 3:41:16 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
    17/01/2012 3:41:16 pm, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
     
  8. SBV

    SBV TS Rookie Topic Starter

    I'm thinking that I really need to get rid of the gfUomFNvRQL.exe file that shows in startup. It says the command is C:\ProgramData\gfUomFNvRQL.exe and is located at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    How do I actually get to that to delete it?

    I have just deleted _uninst_23372510.bat and I've clicked to disable gfUomFNvRQL.exe in the startup and just restarted and now the pop-up window doesn't come up. But obviously I think it needs to be gotten rid of properly as it's no doubt part of the virus.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I doubt anyone has the time to look at your programs- they have enough of their own! If there is a personal full name in a log, I can delete that.
    =========================================
    I asked you not to delete the files if you found them on startup- just see if they were there and what they belonged to. The reason you are infected is because all of the infection was not completed.Please do only what I ask.>>"it needs to be gotten rid of properly ." Yes

    These will be removed in the proper way:
    About the _UNINS~1.BAT:
    StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat

    About the gfUomFNvRQL.exe
    uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
    uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
    I can remove both files with script after you run Combofix.
    ===============================
    You have about 150-200 of these files: c:\users\shariblackvelvet\appdata\local\xxxx]
    Do yu have any idea what they are?
    ==============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ========================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  10. SBV

    SBV TS Rookie Topic Starter

    Here are the logs:

    COMBOFIX:

    ComboFix 12-01-23.02 - ShariBlackVelvet 23/01/2012 3:57.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1680 [GMT 0:00]
    Running from: c:\users\ShariBlackVelvet\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\ShariBlackVelvet\Documents\~WRL0005.tmp
    c:\users\ShariBlackVelvet\Documents\~WRL1491.tmp
    c:\windows\system32\jgaw400.dll
    c:\windows\system32\nseA46E.tmp
    c:\windows\system32\nszA44E.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-23 04:09 . 2012-01-23 04:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-23 02:02 . 2012-01-23 02:02 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\MpKsl0cde92d6.sys
    2012-01-22 19:40 . 2012-01-23 01:34 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\offreg.dll
    2012-01-22 19:40 . 2012-01-22 19:40 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\MpKsl6299086f.sys
    2012-01-22 19:32 . 2011-10-04 17:22 703824 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1545967A-82C4-4793-B821-B094890F36E0}\gapaengine.dll
    2012-01-22 19:31 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\mpengine.dll
    2012-01-22 19:21 . 2012-01-22 19:22 -------- d-----w- c:\program files\Microsoft Security Client
    2012-01-22 19:20 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-01-19 17:49 . 2012-01-19 17:49 -------- d-----w- c:\program files\Panda Security
    2012-01-18 19:52 . 2011-11-30 02:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28D0E58B-D0BF-447B-BF43-22D064460452}\mpengine.dll
    2012-01-18 16:57 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 16:57 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 16:57 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-18 16:57 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 16:57 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 16:57 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-17 19:13 . 2012-01-17 19:13 -------- d-----w- c:\programdata\Kaspersky Lab
    2012-01-17 07:49 . 2012-01-17 15:19 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\dbMobileInit
    2012-01-16 15:20 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\QuickGL.NET
    2012-01-16 07:47 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\AppleHelp64
    2012-01-11 19:13 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-11 19:13 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 19:13 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 19:13 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 19:13 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-11 19:13 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-01-11 19:13 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 19:13 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-07 16:32 . 2011-09-16 15:33 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
    2012-01-07 16:32 . 2010-05-27 12:32 774144 ----a-w- c:\windows\system32\htmlayout.dll
    2012-01-07 16:32 . 2010-05-27 12:32 1003008 ----a-w- c:\windows\system32\libeay32.dll
    2012-01-07 03:14 . 2012-01-17 18:54 -------- d-----w- c:\program files\DriverTuner
    2012-01-07 02:45 . 2012-01-07 02:45 -------- d-----w- c:\program files\WinZip(156)
    2011-12-30 09:06 . 2011-12-30 09:06 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 15:24 . 2009-11-12 16:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-23 13:37 . 2011-12-14 15:41 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-17 07:53 . 2011-05-14 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-08 14:42 . 2011-12-14 15:40 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 22:47 . 2011-12-15 07:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40 . 2011-12-15 07:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39 . 2011-12-15 07:59 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31 . 2011-12-15 07:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-27 08:01 . 2011-12-14 15:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-27 08:01 . 2011-12-14 15:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 15:56 . 2011-12-14 15:40 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-30 09:06 . 2011-05-05 22:58 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
    "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-06-09 26112]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
    "Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-04-21 1045904]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
    "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
    "HostManager"="c:\program files\Common Files\AOL\1287764634\ee\AOLSoftware.exe" [2010-02-10 41800]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
    "QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2011-08-04 86016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
    _uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2010-5-25 253952]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL0CDE92D6
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 11:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A}: NameServer = 192.168.1.1
    FF - ProfilePath - c:\users\ShariBlackVelvet\AppData\Roaming\Mozilla\Firefox\Profiles\x97wkle1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    .
    .
    ------- File Associations -------
    .
    .reg=REG_SZ
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
    HKLM-Run-ITSecMng - c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
    HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
    HKLM-Run-Toshiba TEMPO - c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
    HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-gfUomFNvRQL - c:\programdata\gfUomFNvRQL.exe
    AddRemove-HDMI - c:\windows\system32\igxpun.exe
    AddRemove-HyperCam 3 - c:\program files\HyperCam 3\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-23 04:17
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????]?Y??P?U?x?U???U???U??
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-01-23 04:19:41
    ComboFix-quarantined-files.txt 2012-01-23 04:19
    .
    Pre-Run: 60,850,282,496 bytes free
    Post-Run: 65,542,144,000 bytes free
    .
    - - End Of File - - D3620A77CC2296CB2F2A467E44FC59E2





    ESETSCAN:



    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk LNK/URL.B trojan
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk LNK/URL.B trojan
    C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe probably a variant of Win32/Sefnit.CD trojan
    C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\78e0c967-3cf26355 Java/Agent.X trojan
    C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6527ca69-6646d483 multiple threats
    C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\37406235-5a78014a probably a variant of Win32/TrojanDownloader.Agent.JFLSFWP trojan
    C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\6113bd39-51cff152 Java/Agent.Y trojan
    C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe Win32/DownloadAdmin.A.Gen application



    How come Esetscan says all of these are threats when the others don't? I'm sure fyzip for example is not.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files 
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk 
      C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk 
      C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe 
      C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 \78e0c967-3cf26355 
      C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 \6527ca69-6646d483 
      C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 \37406235-5a78014a 
      C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 \6113bd39-51cff152 
      C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe 
      :Commands
      [purity]
      [emptytemp]
      [clearjavacache]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    My guess is that you downloaded it from a torrent site and got malware with it.
    ======================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
     
  12. SBV

    SBV TS Rookie Topic Starter

    OTMoveIt log:


    All processes killed
    Error: Unable to interpret <[emptytemp]> in the current context!
    Error: Unable to interpret <[clearjavacache]> in the current context!
    Error: Unable to interpret <[start explorer]> in the current context!
    Error: Unable to interpret <[Reboot]> in the current context!

    OTM by OldTimer - Version 3.1.19.0 log created on 01242012_082200


    CKScanner Log:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\users\shariblackvelvet\contacts\edd.mccracken@sundayherald.com.contact
    c:\users\shariblackvelvet\contacts\nick. cracknell - total guitar (e-mail).contact
    c:\users\shariblackvelvet\documents\windows mail vcf address book\edd_mccracken@sundayherald_com.vcf
    c:\users\shariblackvelvet\documents\windows mail vcf address book\nick_ cracknell - total guitar (e-mail).vcf
    scanner sequence 3.BB.11.OWAPOT
    ----- EOF -----
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you copy the entries in the OTM codebox just like I had them? I've never seen this before.

    Please download OTM again, copy the code exactly and follow the rest of the directions.
     
  14. SBV

    SBV TS Rookie Topic Starter

    Ok, just tried again:

    OTMovit log:

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    File/Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk not found.
    File/Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk not found.
    File/Folder C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe not found.
    File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 \78e0c967-3cf26355 not found.
    File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 \6527ca69-6646d483 not found.
    File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 \37406235-5a78014a not found.
    File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 \6113bd39-51cff152 not found.
    File/Folder C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: ShariBlackVelvet
    ->Temp folder emptied: 81810 bytes
    ->Temporary Internet Files folder emptied: 1278525958 bytes
    ->Java cache emptied: 85043500 bytes
    ->FireFox cache emptied: 430908259 bytes
    ->Google Chrome cache emptied: 19003248 bytes
    ->Flash cache emptied: 7808 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 25702 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2384612 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 37563502 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,768.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 01242012_215919

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    CKScanner Log:

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\users\shariblackvelvet\contacts\edd.mccracken@sundayherald.com.contact
    c:\users\shariblackvelvet\contacts\nick. cracknell - total guitar (e-mail).contact
    c:\users\shariblackvelvet\documents\windows mail vcf address book\edd_mccracken@sundayherald_com.vcf
    c:\users\shariblackvelvet\documents\windows mail vcf address book\nick_ cracknell - total guitar (e-mail).vcf
    scanner sequence 3.BB.11.QVLBOE
    ----- EOF -----
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    From OTM: Total Files Cleaned = 1,768.00 mb This is an enormous number of files! Do you do any maintenance on the computer? For instance:
    1. Delete temporary internet files and Cookies.
    2. Disc Cleanup.
    3. Error Check
    4. Defrag
    All of the above should be done on a regular basis. All of these files will slow the system down. And whenever you have to do any scans- any kind of scan-the scan will take much more time because all of the files have to be scanned.

    It appears that there is one one user on this system.

    The processes themselves were actually killed the first time you ran the program. Perhaps you didn't include the Commands when you ran OTM the first time.
    ==================================
    Please disable this part of AdAware if you are going to run MSE:
    AV: Lavasoft Ad-Watch Live! Anti-Virus

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    c:\program files\Panda Security
    c:\programdata\Kaspersky Lab
    DDS::
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
    StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=-
    RegLock
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    A note: There are what looks to be about 200 appdata entries in the DDS log. I don't know what they are, I cannot ID them. I can only caution you to be sure you're the one in charge of the machine- not the apps!
    =============================
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ============================
    You still had a Trojan entry, so I want to make sure you're clean.
     
  16. SBV

    SBV TS Rookie Topic Starter

    I do do disc cleanups and defrags - sometimes it tells me I don't need to.

    Not sure what those 200 files are - I've looked and see the ones you mean. they look like folders, when I click on them there's nothing inside. Do you think I can delete them? I wonder if they just came from some Toshiba updates or something.



    ComboFx Log:

    ComboFix 12-01-23.02 - ShariBlackVelvet 25/01/2012 1:42.2.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1762 [GMT 0:00]
    Running from: c:\users\ShariBlackVelvet\Desktop\ComboFix.exe
    Command switches used :: c:\users\ShariBlackVelvet\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Panda Security
    c:\program files\Panda Security\Panda ActiveScan Cleaner\20120119-184112-211e2b84-79c3-4100-9d3b-682967ae338f.pad
    c:\program files\Panda Security\Panda ActiveScan Cleaner\211e2b84-79c3-4100-9d3b-682967ae338f.stat
    c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fKRN_DATA
    c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fPSK_NM
    c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fPSK_NM2
    c:\program files\Panda Security\Panda ActiveScan Cleaner\analyze.txt
    c:\program files\Panda Security\Panda ActiveScan Cleaner\mylog.txt
    c:\program files\Panda Security\Panda ActiveScan Cleaner\Nemesis.LOG
    c:\program files\Panda Security\Panda ActiveScan Cleaner\pav.zip
    c:\program files\Panda Security\Panda ActiveScan Cleaner\pavcl.log
    c:\program files\Panda Security\Panda ActiveScan Cleaner\pavcl.rpt
    c:\program files\Panda Security\Panda ActiveScan Cleaner\version.ini
    c:\programdata\Kaspersky Lab
    c:\programdata\Kaspersky Lab\~PRCustomProps#4dd.dat
    c:\programdata\Kaspersky Lab\~PRObjects#4dd.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-25 01:57 . 2012-01-25 01:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-24 22:12 . 2012-01-24 22:12 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DFC29AA-2B46-44EB-B7BA-B54343D315FF}\offreg.dll
    2012-01-24 08:04 . 2012-01-24 08:04 -------- d-----w- C:\_OTM
    2012-01-24 08:01 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-01-24 08:00 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DFC29AA-2B46-44EB-B7BA-B54343D315FF}\mpengine.dll
    2012-01-23 04:24 . 2012-01-23 04:24 -------- d-----w- c:\program files\ESET
    2012-01-22 19:32 . 2011-10-04 17:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1545967A-82C4-4793-B821-B094890F36E0}\gapaengine.dll
    2012-01-22 19:21 . 2012-01-22 19:22 -------- d-----w- c:\program files\Microsoft Security Client
    2012-01-22 19:20 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-01-18 19:52 . 2011-11-30 02:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28D0E58B-D0BF-447B-BF43-22D064460452}\mpengine.dll
    2012-01-18 16:57 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 16:57 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 16:57 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-18 16:57 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 16:57 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 16:57 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-17 07:49 . 2012-01-17 15:19 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\dbMobileInit
    2012-01-16 15:20 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\QuickGL.NET
    2012-01-16 07:47 . 2012-01-24 08:04 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\AppleHelp64
    2012-01-11 19:13 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-11 19:13 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 19:13 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 19:13 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 19:13 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-11 19:13 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-01-11 19:13 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 19:13 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-07 16:32 . 2011-09-16 15:33 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
    2012-01-07 16:32 . 2010-05-27 12:32 774144 ----a-w- c:\windows\system32\htmlayout.dll
    2012-01-07 16:32 . 2010-05-27 12:32 1003008 ----a-w- c:\windows\system32\libeay32.dll
    2012-01-07 03:14 . 2012-01-17 18:54 -------- d-----w- c:\program files\DriverTuner
    2012-01-07 02:45 . 2012-01-07 02:45 -------- d-----w- c:\program files\WinZip(156)
    2011-12-30 09:06 . 2011-12-30 09:06 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2011-12-30 09:06 . 2011-12-30 09:06 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 15:24 . 2009-11-12 16:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-23 13:37 . 2011-12-14 15:41 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-17 07:53 . 2011-05-14 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-08 14:42 . 2011-12-14 15:40 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 22:47 . 2011-12-15 07:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40 . 2011-12-15 07:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39 . 2011-12-15 07:59 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31 . 2011-12-15 07:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-27 08:01 . 2011-12-14 15:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-27 08:01 . 2011-12-14 15:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-30 09:06 . 2011-05-05 22:58 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
    "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
    "AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-06-09 26112]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
    "Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-04-21 1045904]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
    "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
    "HostManager"="c:\program files\Common Files\AOL\1287764634\ee\AOLSoftware.exe" [2010-02-10 41800]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
    "QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2011-08-04 86016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
    "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
    _uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2010-5-25 253952]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A}: NameServer = 192.168.1.1
    FF - ProfilePath - c:\users\ShariBlackVelvet\AppData\Roaming\Mozilla\Firefox\Profiles\x97wkle1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: browser.sessionstore.resume_from_crash - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-25 01:57
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????]?Y??P?U?x?U???U???U??
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-01-25 02:12:46
    ComboFix-quarantined-files.txt 2012-01-25 02:12
    ComboFix2.txt 2012-01-23 04:19
    .
    Pre-Run: 66,611,200,000 bytes free
    Post-Run: 67,053,035,520 bytes free
    .
    - - End Of File - - 0A36FBF42E7F249CF35A5EA243D973A6


    Malwarebytes Log:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.22.04

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    ShariBlackVelvet :: SBV-PC [administrator]

    25/01/2012 3:17:11 pm
    mbam-log-2012-01-25 (15-17-11).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 462056
    Time elapsed: 2 hour(s), 22 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looks good! I do recommend you go through the Toshiba processes and uninstall or take off of Startup those you do not use/need or want.

    For instance: This is a reminder to register set in 2008:
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]

    There is also an AOL Process you can do without on Startup:
    c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
    _uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]
    • Name: AOL Service Libraries
    • Startup Value: C:\Program Files\Common Files\AOL\<10 digit number>\e\AOLSoftware.exe
    • Purpose: Integrated email, instant messenger and web browser
    • Program disable option: None
    • Shortcut(s) available: None
    ====================================
    You can delete all those app data files. Copy them to one screen> then click on Edit> Select All> Edit> Delete.

    Ar there any more malware related problems?
     
  18. SBV

    SBV TS Rookie Topic Starter

    Great. Thank you so much for your help. You're a superhero. It is much appreciated! :)
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! Glad to help.
    You can go ahead with this now>
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...