TechSpot

Another PC performance & stability analysis report

By GoddessParis
Jun 11, 2011
  1. Hi Bobbye,

    Attached are my logs. (I hope I did it right) This is my work computer now and I have lost my documents. Thank you so much for any help you can provide me with!

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6826

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/10/2011 9:21:23 AM
    mbam-log-2011-06-10 (09-21-23).txt

    Scan type: Quick scan
    Objects scanned: 186352
    Time elapsed: 7 minute(s), 19 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    c:\programdata\uxynlsranawfma.exe (Trojan.FakeMS) -> 3664 -> Unloaded process successfully.
    c:\programdata\37674744.exe (Trojan.FakeMS) -> 4068 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uxYnlsRaNAWFMa (Trojan.FakeMS) -> Value: uxYnlsRaNAWFMa -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\uxynlsranawfma.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\programdata\37674744.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\-213E8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\1363E8.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\8939.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\jar_cache5487763358777221459.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\tmp83BD.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

    •GMER log
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-10 11:22:33
    Windows 6.1.7600
    Running: download[1].exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167d6b412
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167d6b412 (not active ControlSet)

    ---- EOF - GMER 1.0.15 ----

    •DDS logs: both DDS.txt and Attach.txt
    .
    DDS (Ver_2011-06-03.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by Angel at 11:26:36 on 2011-06-10
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2129 [GMT -4:00]
    .
    AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\TECO\TecoService.exe
    C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\windows\system32\svchost.exe -k HPService
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\SSU.EXE
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ltmoh\ltmoh.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\TOSHIBA\TECO\Teco.exe
    C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\windows\system32\igfxext.exe
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\windows\system32\wuauclt.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
    C:\windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
    C:\windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\conhost.exe
    C:\windows\SysWOW64\cscript.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
    uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [HLBackupScheduler] "C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe"
    uRun: [Google Update] "C:\Users\Angel\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [IAStorIcon] "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
    mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
    mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
    mRun: [HP Software Update] "C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe"
    mRun: [<NO NAME>]
    mRun: [PeachtreePrefetcher.exe] "C:\PROGRA~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
    mRun: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    dRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex
    StartupFolder: C:\Users\Angel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    Trusted Zone: woosterplace.com\mail
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2} : DhcpNameServer = 192.168.1.1 71.250.0.12
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\130364850313035313938333 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\C696E6B6379737 : DhcpNameServer = 68.87.64.150 68.87.75.198
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\D4162796A2 : DhcpNameServer = 192.168.2.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll
    mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO-X64: HP Print Enhancer - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    BHO-X64: Zynga - No File
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    BHO-X64: HP Smart BHO Class - No File
    TB-X64: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files (x86)\Zynga\prxtbZyn2.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [IAStorIcon] "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
    mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
    mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
    mRun-x64: [HP Software Update] "C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe"
    mRun-x64: [(Default)]
    mRun-x64: [PeachtreePrefetcher.exe] "C:\PROGRA~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
    mRun-x64: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
    R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-10-27 252784]
    R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-6-1 13336]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2008-6-6 435496]
    R2 RSELSVC;TOSHIBA Modem region select service;C:\Program Files\TOSHIBA\rselect\RSelSvc.exe [2009-7-7 65904]
    R2 ssfmonm;ssfmonm;C:\windows\system32\DRIVERS\ssfmonm.sys --> C:\windows\system32\DRIVERS\ssfmonm.sys [?]
    R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-11-11 317296]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-6-1 2314240]
    R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\Security\Current\plugins\antimalware\AEI.exe [2011-1-27 3899008]
    R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-4-7 3251928]
    R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
    R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-6-1 51512]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-5 137560]
    R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-11-10 824688]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
    R3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]
    S1 vflt;Shrew Soft Lightweight Filter;C:\windows\system32\DRIVERS\vfilter.sys --> C:\windows\system32\DRIVERS\vfilter.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2010-12-5 401920]
    S3 HtcUsbMdmV64;HTC Proprietary USB Driver;C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys --> C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [?]
    S3 HtcVCom32;HTC Diagnostic Port;C:\windows\system32\DRIVERS\HtcVComV64.sys --> C:\windows\system32\DRIVERS\HtcVComV64.sys [?]
    S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;C:\Program Files (x86)\Sage\Peachtree\SmartPostingService2011.exe [2010-4-10 43848]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-6-1 222720]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
    S3 vnet;Shrew Soft Virtual Adapter;C:\windows\system32\DRIVERS\virtualnet.sys --> C:\windows\system32\DRIVERS\virtualnet.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-05-24 16:14:51 0 ----a-w- C:\windows\SysWow64\ConduitEngine.tmp
    2011-05-24 16:14:51 -------- d-----w- C:\Program Files (x86)\ConduitEngine
    .
    ==================== Find3M ====================
    .
    2011-05-29 13:11:30 39984 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11:20 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
    2011-04-06 20:26:58 96544 ----a-w- C:\windows\System32\dnssd.dll
    2011-04-06 20:26:58 69408 ----a-w- C:\windows\System32\jdns_sd.dll
    2011-04-06 20:26:58 237856 ----a-w- C:\windows\System32\dnssdX.dll
    2011-04-06 20:26:58 119584 ----a-w- C:\windows\System32\dns-sd.exe
    2011-04-06 20:20:16 91424 ----a-w- C:\windows\SysWow64\dnssd.dll
    2011-04-06 20:20:16 75040 ----a-w- C:\windows\SysWow64\jdns_sd.dll
    2011-04-06 20:20:16 197920 ----a-w- C:\windows\SysWow64\dnssdX.dll
    2011-04-06 20:20:16 107808 ----a-w- C:\windows\SysWow64\dns-sd.exe
    .
    ============= FINISH: 11:29:32.09 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/7/2010 5:48:29 PM
    System Uptime: 6/10/2011 10:47:31 AM (1 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz | CPU | 917/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 281 GiB total, 224.527 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Shrew Soft Lightweight Filter
    Device ID: ROOT\LEGACY_VFLT\0000
    Manufacturer:
    Name: Shrew Soft Lightweight Filter
    PNP Device ID: ROOT\LEGACY_VFLT\0000
    Service: vflt
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Officejet 6500 E709n
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet 6500 E709n
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    ==== System Restore Points ===================
    .
    RP89: 4/7/2011 7:44:16 AM - Scheduled Checkpoint
    RP90: 4/7/2011 8:26:39 AM - Windows Modules Installer
    RP91: 4/14/2011 10:10:50 AM - Scheduled Checkpoint
    RP92: 4/27/2011 12:52:31 PM - Scheduled Checkpoint
    RP93: 5/16/2011 2:24:06 PM - Scheduled Checkpoint
    RP94: 5/24/2011 2:25:43 PM - Scheduled Checkpoint
    RP95: 6/1/2011 11:48:03 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    6500_E709_eDocs
    6500_E709_Help
    6500_E709n
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X
    Amazon Games & Software Downloader
    Amazon MP3 Downloader 1.0.12
    Apple Application Support
    Apple Software Update
    Bejeweled 2 Deluxe
    Blackhawk Striker 2
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    Crystal Reports 2008 Runtime SP1
    CzarLite
    Destinations
    DeviceDiscovery
    DocMgr
    DocProc
    Faerie Solitaire
    FATE Undiscovered Realms
    Fax
    Google Talk Plugin
    GoToMeeting 4.5.0.457
    GPBaseService2
    HP Update
    HPDiagnosticAlert
    HPProductAssistant
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    Java(TM) 6 Update 14
    Junk Mail filter update
    Label@Once 1.0
    Malwarebytes' Anti-Malware version 1.51.0.1200
    MarketResearch
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2010
    Microsoft Outlook Web Access S/MIME (2007)
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Monopoly
    MSVCRT
    New Penn Motor Express Section 7
    Peachtree Accounting 2011
    PeachTree Signature Ready Forms
    Pervasive PSQL v10 SP2 Workgroup (32-bit)
    Polar Bowler
    ProductContext
    QuickTime
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    Safari
    Sage Integration Services
    Sage Message Center
    Scan
    Scrabble Plus
    SmartWebPrinting
    SolutionCenter
    Status
    Toolbox
    TOSHIBA Application Installer
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA DVD PLAYER
    TOSHIBA eco Utility
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Face Recognition
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    TOSHIBA Internal Modem Region Select Utility
    TOSHIBA Media Controller
    Toshiba Online Backup
    TOSHIBA Quality Application
    TOSHIBA ReelTime
    TOSHIBA Service Station
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    TrayApp
    Virtual Families
    Virtual Villagers - The Secret City
    WebReg
    Webroot Software
    WildTangent Games
    WildTangent ORB Game Console
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Writer
    WModem Driver Installer
    Zynga Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/6/2011 8:21:23 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
    6/6/2011 8:21:23 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    6/6/2011 11:42:03 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Angel-PC\Angel SID (S-1-5-21-3107127743-3541146285-3577337754-1001) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/10/2011 9:12:36 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    6/10/2011 8:41:24 AM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147467243
    6/10/2011 8:40:53 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{5C8CE652-7876-429E-A929-B44258BEB8F2} because another computer on the network has the same name. The server could not start.
    6/10/2011 8:40:42 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    6/10/2011 10:49:03 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/10/2011 10:48:11 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: vflt
    .
    ==== End Of File ===========================

    Edit: Deleted the Attention entry.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You got the logs in fine. Let me comment on a few things:

    1. There are 2 antivirus programs running:Spysweeper with AV and Norton Internet Security. This can actually make the system more vulnerable, not less, so one should be removed:
    Tool for Norton: Norton Removal Tool
    Tool for Spysweeper: I don't know if you can just disable the AV part of Spysweeper. You might want to check on that. From my own experience with Spysweeper, the uninstall will work better if done in Safe Mode-so this first:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
      Remove Webroot

      • [1] Scroll down to Remove Webroot and click on this word Remove.
        [2] Download SSECleanup.zip ans save to a known location on your computer such as the desktop.

        Before running the tool, do this:
        [3] Once downloaded open the folder SSECleanup.zip then double-click the file SSECleanup.exe in the folder SSECleanup.zip.
        [4] A Window will pop up- wait until the window closes itself.
        [5] Once the window closes Webroot Spysweeper will be removed from the computer.

      To stop the service, Start > Run> type Services.msc> find each of the following Services> double-click on each> change the Startup type to Disabled> Stop the Service:
      WebrootSpySweeperService
      WRConsumerService


      Reboot into Normal Mode
      Look through the list of services for any associated with Webroot Spysweeper and disable them. Reboot, then remove all traces of Spysweeper, including registry entries. ( will handle the Registry entries in Combofix.

      Go to the program start menu folder and you will find an entry titled "uninstall spysweeper', use that, if you can't find that go c:\program files\webroot\spy sweeper\unins000.exe and execute it. Shut spy sweeper down first.
    ===========================================
    You have numerous entries for the Zyanga Toolbar: This is a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality. It is known to offer or exhibit borderline or questionable behavior.I recommend that you uninstall it.
    Look in Add/Remove Programs> Uninstall anything Zyanga
    The use Windows Explorer (Windows key + E). Go to Computer> Local Drive> Programs> find Zyanga folder and do right click> Delete.

    If any entries remain, I will remove them with script in Combofix.
    ==========================================
    Something to consider: Toshiba has preloaded at least 21 programs and processes. You should examine them in the Programs and decide if you use/want the process, you do not, uninstall it.
    ======================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ============================================
    You can go ahead and run this- see if you are then able to see your files. Note: this won't remove the malware- only the attribute that is hiding files and programs. There is no log.
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    ============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to b patient

    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
     
  3. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    ComboFix.txt Logs

    I have removed Norton Internet Security, the Zynga toolbar and the Toshiba programs which I thought would not affect my computer in any way. Below are the Combofix.txt results. Thank you so much!

    ComboFix 11-06-11.01 - Angel 06/12/2011 12:28:34.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2558 [GMT -4:00]
    Running from: c:\users\Angel\Desktop\ComboFix.exe
    AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    SP: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\users\Angel\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DF81A8DD-32B0-4A9B-881B-0D113B49EB8C}.xps
    c:\users\Angel\g2mdlhlpx.exe
    c:\users\Angel\GoToAssistDownloadHelper.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-12 16:52 . 2011-06-12 16:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-12 16:52 . 2011-06-12 16:52 -------- d-----w- c:\users\Angel_2\AppData\Local\temp
    2011-06-12 16:11 . 2011-06-12 16:17 -------- d-----w- C:\32788R22FWJFW
    2011-06-12 14:59 . 2011-06-12 15:57 5149 ----a-w- C:\DetectionData.tmp
    2011-06-12 14:59 . 2011-06-12 15:57 51030 ----a-w- C:\InformationalData.tmp
    2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Roaming\Apple Computer
    2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Local\Apple Computer
    2011-05-24 16:14 . 2011-05-24 16:14 0 ----a-w- c:\windows\SysWow64\ConduitEngine.tmp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 13:11 . 2011-03-04 17:56 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2011-03-04 17:56 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-06 20:26 . 2011-04-06 20:26 96544 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:26 . 2011-04-06 20:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 20:26 . 2011-04-06 20:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:26 . 2011-04-06 20:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
    2011-03-31 10:44 . 2011-03-31 10:44 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-03-31 10:44 . 2011-03-31 10:44 320512 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-03-31 10:44 . 2011-03-31 10:44 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-03-31 10:44 . 2011-03-31 10:44 1888256 ----a-w- c:\windows\system32\WMVDECOD.DLL
    2011-03-31 10:44 . 2011-03-31 10:44 1619456 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
    2011-03-31 10:44 . 2011-03-31 10:44 144384 ----a-w- c:\windows\system32\cdd.dll
    2011-03-31 10:44 . 2011-03-31 10:44 197120 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1837568 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-03-31 10:44 . 2011-03-31 10:44 902656 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 662528 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-31 10:44 . 2011-03-31 10:44 470016 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-31 10:44 . 2011-03-31 10:44 283648 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
    2011-03-31 10:44 . 2011-03-31 10:44 229888 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1540608 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll
    2011-03-31 10:44 . 2011-03-31 10:44 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1133568 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
    2011-03-31 10:44 . 2011-03-31 10:44 4068864 ----a-w- c:\windows\system32\mf.dll
    2011-03-31 10:44 . 2011-03-31 10:44 3181568 ----a-w- c:\windows\SysWow64\mf.dll
    2011-03-31 10:44 . 2011-03-31 10:44 257024 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
    2011-03-31 10:44 . 2011-03-31 10:44 206848 ----a-w- c:\windows\system32\mfps.dll
    2011-03-31 10:44 . 2011-03-31 10:44 196608 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
    "ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
    "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
    "PeachtreePrefetcher.exe"="c:\progra~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" [2011-02-22 29512]
    "AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "WebrootTrayApp"="c:\program files (x86)\Webroot\Security\Current\Framework\WRTray.exe" [2011-04-07 1373208]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-27 235168]
    .
    c:\users\Angel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"
    .
    R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    R3 HtcUsbMdmV64;HTC Proprietary USB Driver;c:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [x]
    R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV64.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files (x86)\Sage\Peachtree\SmartPostingService2011.exe [2011-02-22 43848]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-01 222720]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
    S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe [2009-07-07 65904]
    S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [x]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-11-12 317296]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
    S2 WRConsumerService;Webroot Client Service;c:\program files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-04-07 3251928]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
    S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
    2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2008-09-25 195080]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    Trusted Zone: woosterplace.com\mail
    TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
    URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
    Wow6432Node-HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
    Toolbar-Locked - (no file)
    WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-(Default) - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
    HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=hex:51,66,7a,6c,4c,1d,38,12,50,ef,00,
    7f,a8,d7,1e,0e,c6,dd,65,57,bd,6c,7c,36
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
    eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
    "{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
    06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
    "{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
    07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
    f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
    "{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
    fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
    "{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
    51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:ba,ad,0d,65,7c,f0,cb,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-12 12:59:54
    ComboFix-quarantined-files.txt 2011-06-12 16:59
    .
    Pre-Run: 241,119,567,872 bytes free
    Post-Run: 242,372,886,528 bytes free
    .
    - - End Of File - - BD0CD7E08B6DBABDCDD41B1BD679ECF8
     
  4. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    My Peachtree Accounting System Stopped Working

    Hi Bobbye,

    Peachtree is now not working. Do you think this is due to the virus in my computer?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't have enough information to answer that."Not working" means what?

    I'll pick this up in the morning- I am so tired right now.

    Let's just have a look at this:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    RegLock:
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Leave the logs and I'll review them in the morning.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Had my coffee, checking in as promised. But I will wait for the 2 logs before going further. Please post when ready.
     
  7. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Thanks for the reply! I got peachtree to work by repairing the program with the disc for peachtree and disabling the .net framework 3.5.1. I am still on the first step of the last set of instructions you sent me. It was stalling for a while (2.5 hrs) on step 4 so I restarted the laptop and the process. I think it should be done soon. I will send over the logs as soon it is. Thank you once again!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Let me know if problem continues. I'm not sure which program stalled.
     
  9. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    I have tried a couple of times to run the same process(CFScript.txt transfer to combofix) and it keeps stalling.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    At what point does this 'stall'? This is no entry marked Step 4.
    Please explain "stall."
    ================================================
    See if this will run: I don't know if this will work because the registry key is locked:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :reg
      [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'll give you one more day to reply. If you do not, I will close the thread.
     
  12. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Hi, thank you for being so patient. When I scroll over the CFScript.txt over to the combofix icon on my desktop it runs thru stages and then informs me when each stage is complete. Well, it just stays there for hours after stage 4 is complete. Hope this makes more sense. I also did the systemlook you suggested and below are the results.

    SystemLook 04.09.10 by jpshortstuff
    Log created at 21:45 on 20/06/2011 by Angel
    Administrator - Elevation successful
    WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

    ========== reg ==========

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    "{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=51 66 7a 6c 4c 1d 38 12 50 ef 00 7f a8 d7 1e 0e c6 dd 65 57 bd 6c 7c 36 (REG_BINARY)
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=51 66 7a 6c 4c 1d 38 12 5c be 8a eb c9 8f bc 54 f6 39 43 d0 22 43 0b 9c (REG_BINARY)
    "{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=51 66 7a 6c 4c 1d 38 12 56 8e 54 06 cb 8d 95 0b e4 47 35 d5 e9 fe 12 64 (REG_BINARY)
    "{0347C33E-8762-4905-BF09-768834316C61}"=51 66 7a 6c 4c 1d 38 12 50 c0 54 07 50 c9 6b 0c c0 1f 35 c8 31 6f 28 75 (REG_BINARY)
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=51 66 7a 6c 4c 1d 38 12 72 0b cc 1c 9f a6 ed 07 da 80 b9 17 89 70 f9 d7 (REG_BINARY)
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=51 66 7a 6c 4c 1d 38 12 5b ab e0 b0 13 40 37 0c c5 34 01 f3 05 d0 46 eb (REG_BINARY)
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=51 66 7a 6c 4c 1d 38 12 2a 03 db df 77 ea 35 06 c3 62 df 65 c4 9b cc bd (REG_BINARY)
    "{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=51 66 7a 6c 4c 1d 38 12 cf 4e be f9 90 2f b6 0a e3 01 c5 b7 a9 7a 14 95 (REG_BINARY)
    "{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=51 66 7a 6c 4c 1d 38 12 91 fc ec fb 7c 81 45 0a c2 d4 4d 32 e4 48 ec 42 (REG_BINARY)
    "{555D4D79-4BD2-4094-A395-CFC534424A05}"=51 66 7a 6c 4c 1d 38 12 17 4e 4e 51 e0 05 fa 05 dc 83 8c 85 31 1c 0e 11 (REG_BINARY)


    -= EOF =-
     
  13. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    should I try to do all of the steps again from the beginning?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you being careful not to move the mouse while Combofix is running? It is strange that the Combofix scan ran okay but the script won't. Let's just redo the following:

    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Pad before copying the log to paste in your next reply.
    ============================================
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ------------------------------------------------------
    Reboot the computer.
    ---------------------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =============================
    Repeating: Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.

    Please tell me what, if any symptoms you are still experiencing with the system related to this malware.
     
  15. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Hi, did step 1 and I'm still stalling on the combofix step. So far it's been 2 hours and still on stage 4. I will send you the log for step 1 as soon as the combofix is done. The laptop is not touched while running the combofix.
     
  16. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    The Combofix step is still stalling at stage 4 even when all of the steps were followed. The logs for Malware are below.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6921

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/22/2011 4:15:01 PM
    mbam-log-2011-06-22 (16-15-01).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 342606
    Time elapsed: 42 minute(s), 4 second(s)

    Memory Processes Infected: 3
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 3
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 7

    Memory Processes Infected:
    c:\Users\Angel\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> 4392 -> Unloaded process successfully.
    c:\Users\Angel\AppData\Roaming\dwm.exe (Trojan.Downloader) -> 4784 -> Unloaded process successfully.
    c:\Users\Angel\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> 3612 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\Users\Angel\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Angel\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Roaming\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\52F0.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\7678.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\LocalLow\Sun\Java\deployment\cache\6.0\0\16b6c280-5df2c8ab (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\0.10185420143728241.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
    c:\Users\Angel\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm attempting to find out what "Step 4" is in the CFFix. But ignore that for now because I got the information.

    But I am concerned that you are still "gathering" malware, as seen in the current Mbam log. These are not the same as originally. Many are in temp files which are frequently the setups from installed programs.

    Somehow I missed having you run the Eset Online Virus Scan! Please note my emphasis that you not have the threats removed- I will do that.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =========================================
    I need to check the security status: Please run this Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===========================================
    When you first ran Combofix, did you have any problem? It is strange that you could run the scan but not the one entry for FileLook. But I did get that information. We need to find the 'leak' in the security
     
  18. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Good Morning, well I ran ESET and before I could send you the log (7 viruses) I received what seems like a virus message. Now I can't access the internet from that computer without getting the message. It's also popping up as popups on the laptop even when I close internet explorer =/ It says the following:

    Win 7 Antivirus 2012 has blocked a program from accessing the internet.
    ssvagent.exe is infected with Trojan-BNK.Win32.Keylogger.gen
    Private data can be stolen by third parties, including credit card details and passwords.
     
  19. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    okay, I did the preliminary steps and below are my logs. I am still running into the same issue with the combofix as I was before where it stalls after stage 4.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6921

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/25/2011 11:33:35 AM
    mbam-log-2011-06-25 (11-33-35).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 332771
    Time elapsed: 38 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Angel\AppData\Local\hbs.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Angel\AppData\Local\hbs.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\Angel\AppData\Local\Temp\0.22571415097438274.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

    Gmer
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-25 12:17:20
    Windows 6.1.7600
    Running: 99cjofuv.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167d6b412
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167d6b412 (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Angel\AppData\Local\Temp\~DF4EB35987625EC170.TMP 512 bytes
    File C:\Users\Angel\AppData\Local\Temp\~DF587E6E8AC6F1863A.TMP 16384 bytes

    ---- EOF - GMER 1.0.15 ----


    DDS
    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by Angel at 12:20:53 on 2011-06-25
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2455 [GMT -4:00]
    .
    AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LSI SoftModem\agr64svc.exe
    C:\windows\system32\svchost.exe -k apphost
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\windows\System32\svchost.exe -k HPZ12
    C:\windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\windows\system32\svchost.exe -k iissvcs
    C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ltmoh\ltmoh.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\windows\system32\svchost.exe -k HPService
    C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\igfxext.exe
    C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\TOSHIBA\rselect\RSelSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\windows\system32\wuauclt.exe
    C:\windows\system32\svchost.exe -k SDRSVC
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\SSU.EXE
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\conhost.exe
    C:\windows\SysWOW64\cscript.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:52222
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
    mRun: [IAStorIcon] "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
    mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun: [PeachtreePrefetcher.exe] "C:\PROGRA~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    dRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe -update activex
    StartupFolder: C:\Users\Angel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: woosterplace.com\mail
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2} : DhcpNameServer = 192.168.1.1 71.250.0.12
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\130364850313035313938333 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\C696E6B6379737 : DhcpNameServer = 68.87.64.150 68.87.75.198
    TCP: Interfaces\{5C8CE652-7876-429E-A929-B44258BEB8F2}\D4162796A2 : DhcpNameServer = 192.168.2.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll
    mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [IAStorIcon] "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe"
    mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
    mRun-x64: [PeachtreePrefetcher.exe] "C:\PROGRA~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [AppleSyncNotifier] "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-6-1 13336]
    R2 psqlWGE;Pervasive PSQL Workgroup Engine;C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2008-6-6 435496]
    R2 RSELSVC;TOSHIBA Modem region select service;C:\Program Files\TOSHIBA\rselect\RSelSvc.exe [2009-7-7 65904]
    R2 ssfmonm;ssfmonm;C:\windows\system32\DRIVERS\ssfmonm.sys --> C:\windows\system32\DRIVERS\ssfmonm.sys [?]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-6-1 2314240]
    R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\Security\Current\plugins\antimalware\AEI.exe [2011-1-27 3899008]
    R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-4-7 3251928]
    R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
    R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-5 137560]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
    R3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]
    S1 vflt;Shrew Soft Lightweight Filter;C:\windows\system32\DRIVERS\vfilter.sys --> C:\windows\system32\DRIVERS\vfilter.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 HtcUsbMdmV64;HTC Proprietary USB Driver;C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys --> C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [?]
    S3 HtcVCom32;HTC Diagnostic Port;C:\windows\system32\DRIVERS\HtcVComV64.sys --> C:\windows\system32\DRIVERS\HtcVComV64.sys [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;C:\Program Files (x86)\Sage\Peachtree\SmartPostingService2011.exe [2010-4-10 43848]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-6-1 222720]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
    S3 vnet;Shrew Soft Virtual Adapter;C:\windows\system32\DRIVERS\virtualnet.sys --> C:\windows\system32\DRIVERS\virtualnet.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-06-25 12:48:16 221184 --sha-w- C:\Users\Angel\AppData\Local\tclhg.dll
    2011-06-25 12:47:54 557056 ----a-w- C:\Users\Angel\AppData\Local\ksy.exe
    2011-06-25 04:29:47 -------- d-----w- C:\Program Files (x86)\ESET
    2011-06-22 21:09:37 98816 ----a-w- C:\windows\sed.exe
    2011-06-22 21:09:37 518144 ----a-w- C:\windows\SWREG.exe
    2011-06-22 21:09:37 256512 ----a-w- C:\windows\PEV.exe
    2011-06-22 21:09:37 208896 ----a-w- C:\windows\MBR.exe
    2011-06-22 21:09:28 -------- d-s---w- C:\ComboFix
    2011-06-18 01:35:50 404640 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-13 18:12:20 -------- d-----w- C:\windows\SysWow64\BestPractices
    2011-06-13 18:12:19 -------- d-----w- C:\windows\System32\BestPractices
    2011-06-13 18:12:19 -------- d-----w- C:\inetpub
    2011-06-13 17:30:08 -------- d-----w- C:\ProgramData\Pervasive Software
    2011-06-12 17:06:43 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-06-12 14:59:54 96598 ----a-w- C:\InformationalData.tmp
    2011-06-12 14:59:54 8927 ----a-w- C:\DetectionData.tmp
    .
    ==================== Find3M ====================
    .
    2011-05-29 13:11:30 39984 ----a-w- C:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11:20 25912 ----a-w- C:\windows\System32\drivers\mbam.sys
    2011-05-24 16:14:51 0 ----a-w- C:\windows\SysWow64\ConduitEngine.tmp
    2011-04-06 20:26:58 96544 ----a-w- C:\windows\System32\dnssd.dll
    2011-04-06 20:26:58 69408 ----a-w- C:\windows\System32\jdns_sd.dll
    2011-04-06 20:26:58 237856 ----a-w- C:\windows\System32\dnssdX.dll
    2011-04-06 20:26:58 119584 ----a-w- C:\windows\System32\dns-sd.exe
    2011-04-06 20:20:16 91424 ----a-w- C:\windows\SysWow64\dnssd.dll
    2011-04-06 20:20:16 75040 ----a-w- C:\windows\SysWow64\jdns_sd.dll
    2011-04-06 20:20:16 197920 ----a-w- C:\windows\SysWow64\dnssdX.dll
    2011-04-06 20:20:16 107808 ----a-w- C:\windows\SysWow64\dns-sd.exe
    .
    ============= FINISH: 12:22:41.94 ===============

    Attach
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/7/2010 5:48:29 PM
    System Uptime: 6/25/2011 11:34:41 AM (1 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz | CPU | 917/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 281 GiB total, 234.76 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Officejet 6500 E709n
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet 6500 E709n
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Shrew Soft Lightweight Filter
    Device ID: ROOT\LEGACY_VFLT\0000
    Manufacturer:
    Name: Shrew Soft Lightweight Filter
    PNP Device ID: ROOT\LEGACY_VFLT\0000
    Service: vflt
    .
    ==== System Restore Points ===================
    .
    RP118: 6/22/2011 4:46:28 PM - ComboFix created restore point
    .
    ==== Installed Programs ======================
    .
    6500_E709_eDocs
    6500_E709_Help
    6500_E709n
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X
    Amazon MP3 Downloader 1.0.12
    Apple Application Support
    Apple Software Update
    Bejeweled 2 Deluxe
    Blackhawk Striker 2
    bpd_scan
    BPDSoftware
    BPDSoftware_Ini
    BufferChm
    Compatibility Pack for the 2007 Office system
    Crystal Reports 2008 Runtime SP1
    CzarLite
    Destinations
    DeviceDiscovery
    DocMgr
    DocProc
    ESET Online Scanner v3
    Faerie Solitaire
    FATE Undiscovered Realms
    Fax
    GPBaseService2
    HPDiagnosticAlert
    HPProductAssistant
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    Java(TM) 6 Update 14
    Junk Mail filter update
    Label@Once 1.0
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft Choice Guard
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2010
    Microsoft Outlook Web Access S/MIME (2007)
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Monopoly
    MSVCRT
    New Penn Motor Express Section 7
    Peachtree Accounting 2011
    PeachTree Signature Ready Forms
    Pervasive PSQL v10 SP2 Workgroup (32-bit)
    Polar Bowler
    ProductContext
    QuickTime
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    Safari
    Sage Integration Services
    Sage Message Center
    Scan
    Scrabble Plus
    SolutionCenter
    Status
    Toolbox
    TOSHIBA Application Installer
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    TOSHIBA Internal Modem Region Select Utility
    TOSHIBA Quality Application
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    TrayApp
    Virtual Families
    Virtual Villagers - The Secret City
    WebReg
    Webroot Software
    WildTangent Games
    WildTangent ORB Game Console
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Writer
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/25/2011 11:36:11 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/25/2011 11:35:17 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: vflt
    6/22/2011 5:08:47 PM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).
    6/22/2011 5:08:47 PM, Error: Service Control Manager [7034] - The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
  20. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Hi, I was finally able to get the combofix to fully finish! I did uninstall one more time and installed from the second link you posted. Below are the results. I'm now going to attempt to put the cfscript into combofix like you suggested above. This should take another 5 - 6 hrs but hopefully it will work this time!

    ComboFix 11-06-25.03 - Angel 06/25/2011 15:07:51.10.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3895.2326 [GMT -4:00]
    Running from: c:\users\Angel\Desktop\ComboFix.exe
    AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
    SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Angel\AppData\Local\ksy.exe
    c:\users\Angel\AppData\Local\tclhg.dll
    c:\windows\system32\Thumbs.db
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-25 to 2011-06-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-25 22:43 . 2011-06-25 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-25 22:43 . 2011-06-25 22:43 -------- d-----w- c:\users\Angel_2\AppData\Local\temp
    2011-06-25 18:59 . 2011-06-25 19:01 -------- d-----w- C:\32788R22FWJFW
    2011-06-25 04:29 . 2011-06-25 04:29 -------- d-----w- c:\program files (x86)\ESET
    2011-06-18 01:35 . 2011-06-18 01:35 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files (x86)\Reference Assemblies
    2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files (x86)\MSBuild
    2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files\Reference Assemblies
    2011-06-13 18:39 . 2011-06-13 18:39 -------- d-----w- c:\program files\MSBuild
    2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- c:\windows\SysWow64\BestPractices
    2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- c:\windows\system32\BestPractices
    2011-06-13 18:12 . 2011-06-13 18:12 -------- d-----w- C:\inetpub
    2011-06-13 17:30 . 2011-06-13 17:30 -------- d-----w- c:\programdata\Pervasive Software
    2011-06-12 14:59 . 2011-06-25 13:28 96598 ----a-w- C:\InformationalData.tmp
    2011-06-12 14:59 . 2011-06-25 13:28 8927 ----a-w- C:\DetectionData.tmp
    2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Roaming\Apple Computer
    2011-06-10 14:02 . 2011-06-10 14:02 -------- d-----w- c:\users\Angel_2\AppData\Local\Apple Computer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 13:11 . 2011-03-04 17:56 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2011-03-04 17:56 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-24 16:14 . 2011-05-24 16:14 0 ----a-w- c:\windows\SysWow64\ConduitEngine.tmp
    2011-04-06 20:26 . 2011-04-06 20:26 96544 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:26 . 2011-04-06 20:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 20:26 . 2011-04-06 20:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:26 . 2011-04-06 20:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
    2011-03-31 10:44 . 2011-03-31 10:44 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-03-31 10:44 . 2011-03-31 10:44 320512 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-03-31 10:44 . 2011-03-31 10:44 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-03-31 10:44 . 2011-03-31 10:44 1888256 ----a-w- c:\windows\system32\WMVDECOD.DLL
    2011-03-31 10:44 . 2011-03-31 10:44 1619456 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
    2011-03-31 10:44 . 2011-03-31 10:44 144384 ----a-w- c:\windows\system32\cdd.dll
    2011-03-31 10:44 . 2011-03-31 10:44 197120 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1837568 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-03-31 10:44 . 2011-03-31 10:44 902656 ----a-w- c:\windows\system32\d2d1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 662528 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-03-31 10:44 . 2011-03-31 10:44 470016 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-31 10:44 . 2011-03-31 10:44 283648 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
    2011-03-31 10:44 . 2011-03-31 10:44 229888 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1540608 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll
    2011-03-31 10:44 . 2011-03-31 10:44 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1133568 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
    2011-03-31 10:44 . 2011-03-31 10:44 4068864 ----a-w- c:\windows\system32\mf.dll
    2011-03-31 10:44 . 2011-03-31 10:44 3181568 ----a-w- c:\windows\SysWow64\mf.dll
    2011-03-31 10:44 . 2011-03-31 10:44 257024 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
    2011-03-31 10:44 . 2011-03-31 10:44 206848 ----a-w- c:\windows\system32\mfps.dll
    2011-03-31 10:44 . 2011-03-31 10:44 196608 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
    2011-03-31 10:44 . 2011-03-31 10:44 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
    2011-03-31 10:44 . 2011-03-31 10:44 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
    "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
    "PeachtreePrefetcher.exe"="c:\progra~2\Sage\PEACHT~1\PeachtreePrefetcher.exe" [2011-02-22 29512]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "WebrootTrayApp"="c:\program files (x86)\Webroot\Security\Current\Framework\WRTray.exe" [2011-04-07 1373208]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
    .
    c:\users\Angel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 270336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"
    .
    R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 HtcUsbMdmV64;HTC Proprietary USB Driver;c:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [x]
    R3 HtcVCom32;HTC Diagnostic Port;c:\windows\system32\DRIVERS\HtcVComV64.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\program files (x86)\Sage\Peachtree\SmartPostingService2011.exe [2011-02-22 43848]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-01 222720]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
    S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2010-04-10 435496]
    S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\rselect\RSelSvc.exe [2009-07-07 65904]
    S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
    S2 WRConsumerService;Webroot Client Service;c:\program files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-04-07 3251928]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
    2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2008-09-25 195080]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/?fr=fp-yie9
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:52222
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    Trusted Zone: woosterplace.com\mail
    TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (LocalSystem)
    "{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=hex:51,66,7a,6c,4c,1d,38,12,50,ef,00,
    7f,a8,d7,1e,0e,c6,dd,65,57,bd,6c,7c,36
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
    eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
    "{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
    06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
    "{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
    07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
    "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
    1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
    "{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
    b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
    "{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
    df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
    "{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
    f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
    "{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
    fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
    "{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
    51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (LocalSystem)
    "Timestamp"=hex:ba,ad,0d,65,7c,f0,cb,01
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-25 18:47:15
    ComboFix-quarantined-files.txt 2011-06-25 22:47
    .
    Pre-Run: 252,662,996,992 bytes free
    Post-Run: 252,971,839,488 bytes free
    .
    - - End Of File - - 50F1866ED5921CFF0B6699840DE2FDF1
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please, you don't need to run the original script! I got the information I wanted in the other program I had you run. Give me time to look over the current Combofix log and if needed, I'll set up new script and you can try that.
     
  22. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    sorry about that. It was just that I I was getting pop-ups of the virus once again and not able to access the internet. Thank you
     
  23. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    Hi, I receive the virus again with the pop ups prompting me to buy their services. I have all of my work documents on this computer. Do you advise transferring all of my files to a storage unit and then another laptop? My fear is the virus may transfer over... Any help is greatly appreciated.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is not the same malware. Please ignore these "scare" alerts and messages. The malware is generating them to try and scam you into clicking on their link. Until we find the leak in your security, cleaning the files won't help.

    Please tell me if you can access the internet at all- just tell me again if you did before.

    Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    =======================================
    If you can access the internet, please do the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===================================
    If you still cannot access the internet, do you know if the Webroot AV has been updating? That's incoming and may be getting through.
     
  25. GoddessParis

    GoddessParis TS Rookie Topic Starter Posts: 18

    I tried to ignore them but I could not get into the internet or files if I did. I had to run the malware bytes and remove the infected files in order to get back into the internet. I'm able to get in now.

    checkup
    Results of screen317's Security Check version 0.99.17
    Windows 7 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 14
    Out of date Java installed!
    Flash Player Out of Date!
    Adobe Flash Player 10.1.85.3
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````


    ESET
    C:\Qoobox\Quarantine\C\Users\Angel\AppData\Local\ksy.exe.vir a variant of Win32/Kryptik.PMC trojan
    C:\Qoobox\Quarantine\C\Users\Angel\AppData\Local\tclhg.dll.vir a variant of Win32/Kryptik.PMC trojan
    C:\Users\Angel\AppData\Local\Temp\jar_cache4233590384373449879.tmp a variant of Win32/Kryptik.POH trojan
    C:\Users\Angel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\5854bd4-644aec0a Java/Agent.CP trojan
    C:\Users\Angel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\68c15ced-15b8f09a Java/TrojanDownloader.OpenStream.NBN trojan
    C:\Users\Angel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\55e750b5-7aacef2d a variant of Win32/Kryptik.PMC trojan
    C:\Users\Angel\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\17dd8b7a-77a49954 a variant of Java/TrojanDownloader.OpenConnection.MU trojan
    C:\Users\Angel\Desktop\0.925177210809825.exe a variant of Win32/Kryptik.POH trojan
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...