TechSpot

Can't open .exe files and Google search results redirected

Inactive
By notoriousnick
Aug 11, 2011
  1. So when I try to open .exe files it brings up a window asking what program I want to use to open the file. This means I can't run malwarebytes, hijackthis, etc. Also, when I use google/yahoo, clicking on a google search result will redirect me to a spam site. Please help!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! That leaves you in a bad place! Let's try and get around it:

    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Save the logs from the above and paste in your next reply. See if the programs will run now.
    ====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. notoriousnick

    notoriousnick TS Rookie Topic Starter

    exeHelper by Raktor
    Build 20100414
    Run at 12:01:45 on 08/11/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    exeHelper by Raktor
    Build 20100414
    Run at 12:04:43 on 08/11/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Also, for future reference I am using Vista Basic. Also, I am able to run Hijack this when I run it as administrator. Here is the log from hijack this.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:46:31 AM, on 8/11/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
    C:\Windows\System32\cmd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [conhost] C:\Users\Nick\AppData\Roaming\Microsoft\conhost.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKLM\..\Policies\Explorer\Run: [Cvke] rundll32 "C:\Windows\system32\winrssrvt.dll",bygfn
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O13 - Gopher Prefix:
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, avgrsstx.dll
    O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe (file missing)
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 9309 bytes
  4. notoriousnick

    notoriousnick TS Rookie Topic Starter

    Also, I relized that I never thanked you for your help, so thank you so much! I really appreciate your help.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome! Try the scans again first. When finished, go to next step.
    ==============================
    Show Hidden Folders/Files
    • Open My Computer.
      [*] Go to Tools > Folder Options.
      [*] Select the View tab.
      [*] Scroll down to Hidden files and folders.
      [*] Select Show hidden files and folders.
      [*] Uncheck Hide extensions of known file types.
      [*] Uncheck Hide protected operating system files (Recommended).
      [*] Click Yes when prompted.
      [*] Click OK.
      [*] Close My Computer.

    -----------------------------
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      C:\Windows\system32\config\systemprofile\AppData\Local\[B]mujiano.dl[/B]l
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.

    Please go back to Folder Options and recheck 'don't show hidden files and folders' and recheck 'hide protected system files & folders (recommended)> Apply> OK.
    ============================
    Then do the following: But be warned that I tend to get grumpy when someone I'm helping runs a program I haven't instructed them to run! You have run an outdated version of HijackThis.

    Delete this version of HJT. Delete the log. Reboot the computer.

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.. Save that log
    >>>> It will be used in next step.
    -----------------------
    Please reopen HijackThis to 'do system scan only.'. Check each of the following if present:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe


    Close all Windows except HijackThis and click om "Fix Checked."
    ----------------------------------------
    Run this removal tool for AVG: AVG Remover:32bit
    ======================================
    Logs: Post logs if you have been able to run any of the scans.
    Post the HJT log after you have run the removals.
    No log for AVG Remover.
  6. notoriousnick

    notoriousnick TS Rookie Topic Starter

    Whn trying to open this file: C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll it says I don't have permission to open the file. I tried changing the file permission to give me full access, but it didn't work.
  7. notoriousnick

    notoriousnick TS Rookie Topic Starter

    What can I do so that I have permission to open the file? Thanks
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Forget about this file. I'll remove it. Were you able to run any of the scans? If so, I need the logs.
  9. notoriousnick

    notoriousnick TS Rookie Topic Starter

    I couldn't run online scan.
    I ran hijackthis and removed the requested files.
    I ran avg remover and removed avg.
    Here is the scan from hijackthis, from before I removed the reqested files:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:25:26 PM, on 8/12/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe
    C:\Windows\system32\DllHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [conhost] C:\Users\Nick\AppData\Roaming\Microsoft\conhost.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKLM\..\Policies\Explorer\Run: [Cvke] rundll32 "C:\Windows\system32\winrssrvt.dll",bygfn
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [1653478294] C:\Windows\system32\config\systemprofile\AppData\Local\yje.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, avgrsstx.dll
    O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll (file missing)
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
    O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe (file missing)
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 8972 bytes

    Also, while I've got you, malwarebytes keeps stopping a process from running called: backdoorbot, file location: C:\\Windows\system\svchost.exe.

    I didn't run a scan with it, the warning just popped up.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    So you're getting Backdoor.bot stopping Mbam> That is not a good thins. And you can't ID the process in the first Virscan. You do have online access- right?

    If so, let's try this:
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

      c:\windows\system32\userinit.exe

      c:\windows\explorer.exe

      c:\window\system32\svchost.exe


    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    =========================================
    It doesn't look like you replced it with one of the other AV indicated at the end of the App Remover. It looks like McAfee is only being used as a Site Advisor- it that correct? You need to have some AV protection on the system.

    So far I have nothing but HJT logs and that's not enough to work with. Here is the full preliminary list of steps:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Can you do any of this?
    I'd also like to run an online virus scan- see if you can do that:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    If you have malware such as Ramnit, Sality or Virus, there is no point in going on as they are not curable and I would then recomment a reformat/reinstall.
  11. notoriousnick

    notoriousnick TS Rookie Topic Starter

    part 1

    Avira was run, and removed 2 threats.

    -------------------------------------

    The option to rescan wasn't available for the first file, but it was for the second two. So the second two were rescanned.

    VirSCAN.org Scanned Report :
    Scanned time : 2008/11/22 15:14:37 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 25088 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 0e135526e9785d085bcd9aede6fbcbf9
    SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
    Online report : http://r.virscan.org/ffba0ea65ad66c031826c60a3d422b2d

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.0.0.26 20081122063100 2008-11-22 4.20 -
    AhnLab V3 2008.11.22.00 2008.11.22 2008-11-22 1.04 -
    AntiVir 7.9.0.35 7.1.0.122 2008-11-21 1.55 -
    Antiy 2.0.18 20081122.1722967 2008-11-22 0.12 -
    Arcavir 1.0.5 200811211356 2008-11-21 1.22 -
    Authentium 5.1.1 200811212255 2008-11-21 1.09 -
    AVAST! 3.0.1 081121-0 2008-11-21 0.01 -
    AVG 7.5.52.442 270.9.9/1804 2008-11-21 1.73 -
    BitDefender 7.81008.2247023 7.22006 2008-11-22 2.06 -
    CA (VET) 9.0.0.143 31.6.6222 2008-11-22 5.37 -
    ClamAV 0.94.1 8661 2008-11-21 0.01 -
    Comodo 2.11 2.0.0.712 2008-11-20 0.39 -
    CP Secure 1.1.0.715 2008.11.22 2008-11-22 6.42 -
    Dr.Web 4.44.0.9170 2008.11.22 2008-11-22 3.56 -
    ewido 4.0.0.2 2008.11.21 2008-11-21 6.75 -
    F-Prot 4.4.4.56 20081121 2008-11-21 1.08 -
    F-Secure 5.51.6100 2008.11.22.02 2008-11-22 0.04 -
    Fortinet 2.81-3.117 9.731 2008-11-21 0.34 -
    GData 19.1621/19.116 20081122 2008-11-22 3.48 -
    ViRobot 20081121 2008.11.21 2008-11-21 0.41 -
    Ikarus T3.1.01.45 2008.11.22.71896 2008-11-22 3.94 -
    JiangMin 11.0.706 2008.11.22 2008-11-22 1.39 -
    Kaspersky 5.5.10 2008.11.22 2008-11-22 0.04 -
    KingSoft 2008.9.8.18 2008.11.22.15 2008-11-22 0.79 -
    McAfee 5.3.00 5441 2008-11-21 2.53 -
    Microsoft 1.4104 2008.11.21 2008-11-21 5.77 -
    mks_vir 2.01 2008.11.17 2008-11-17 2.69 -
    Norman 5.93.01 5.93.00 2008-11-21 5.71 -
    Panda 9.05.01 2008.11.21 2008-11-21 2.96 -
    Trend Micro 8.700-1004 5.670.01 2008-11-21 0.03 -
    Quick Heal 10.00 2008.11.21 2008-11-21 0.85 -
    Rising 20.0 21.04.50.00 2008-11-22 0.78 -
    Sophos 2.80.0 4.35 2008-11-22 2.03 -
    Sunbelt 4474 4474 2008-11-04 0.50 -
    Symantec 1.3.0.24 20081121.003 2008-11-21 2.02 -
    nProtect 2008-11-21.03 2625860 2008-11-21 3.10 -
    The Hacker 6.3.1.1 v00159 2008-11-19 0.45 -
    VBA32 3.12.8.9 20081121.1440 2008-11-21 1.45 -
    VirusBuster 4.5.11.10 10.94.1/715510 2008-11-21 0.93 -



    -----------------------------


    VirSCAN.org Scanned Report :
    Scanned time : 2011/08/14 03:01:34 (CST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 2926592 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : d07d4c3038f3578ffce1c0237f2a1253
    SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
    Online report : http://r.virscan.org/44f45cc1ce2d5deca4c891d776784e6e

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.3 20110812180754 2011-08-12 0.36 -
    AhnLab V3 2011.08.14.00 2011.08.14 2011-08-14 1.96 -
    AntiVir 8.2.6.30 7.11.13.37 2011-08-12 0.30 -
    Antiy 2.0.18 20110804.11725727 2011-08-04 0.02 -
    Arcavir 2011 201107140423 2011-07-14 0.06 -
    Authentium 5.1.1 201108130656 2011-08-13 1.54 -
    AVAST! 4.7.4 110813-0 2011-08-13 0.14 -
    AVG 8.5.850 271.1.1/3831 2011-08-13 0.25 -
    BitDefender 7.90123.8924128 7.38594 2011-08-14 4.32 -
    ClamAV 0.97.1 13434 2011-08-13 0.36 -
    Comodo 5.1 9732 2011-08-13 1.85 -
    CP Secure 1.3.0.5 2011.08.13 2011-08-13 0.47 -
    Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 13.19 -
    F-Prot 4.6.2.117 20110813 2011-08-13 0.78 -
    F-Secure 7.02.73807 2011.08.12.14 2011-08-12 0.25 -
    Fortinet 4.2.257 13.539 2011-08-13 0.51 -
    GData 22.1614 20110814 2011-08-14 0.11 -
    ViRobot 20110813 2011.08.13 2011-08-13 0.37 -
    Ikarus T3.1.32.20.0 2011.08.13.79075 2011-08-13 4.96 -
    JiangMin 13.0.900 2011.08.13 2011-08-13 1.81 -
    Kaspersky 5.5.10 2011.08.13 2011-08-13 0.12 -
    KingSoft 2009.2.5.15 2011.8.13.12 2011-08-13 0.86 -
    McAfee 5400.1158 6437 2011-08-13 9.44 -
    Microsoft 1.7104 2011.08.13 2011-08-13 3.78 -
    NOD32 3.0.21 6363 2011-08-09 0.22 -
    Norman 6.07.10 6.07.00 2011-08-13 12.02 -
    Panda 9.05.01 2011.08.12 2011-08-12 4.88 -
    Trend Micro 9.200-1012 8.352.04 2011-08-13 0.04 -
    Quick Heal 11.00 2011.08.13 2011-08-13 1.94 -
    Rising 20.0 23.70.04.03 2011-08-12 2.56 -
    Sophos 3.22.0 4.68 2011-08-13 3.73 -
    Sunbelt 3.9.2497.2 10150 2011-08-12 0.74 -
    Symantec 1.3.0.24 20110812.004 2011-08-12 0.19 -
    nProtect 20110803.04 12178473 2011-08-03 1.15 -
    The Hacker 6.7.0.1 v00276 2011-08-12 0.51 -
    VBA32 3.12.16.4 20110813.0829 2011-08-13 3.97 -
    VirusBuster 5.3.0.4 14.0.167.0/58594752011-08-13 0.00 -



    -------------------------

    VirSCAN.org Scanned Report :
    Scanned time : 2011/08/14 03:06:16 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 21504 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    Online report : http://r.virscan.org/694c8d9f534f89ba5fd0a851bb42ee63

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.3 20110812180754 2011-08-12 0.33 -
    AhnLab V3 2011.08.14.00 2011.08.14 2011-08-14 1.73 -
    AntiVir 8.2.6.30 7.11.13.37 2011-08-12 0.56 -
    Antiy 2.0.18 20110804.11725727 2011-08-04 0.02 -
    Arcavir 2011 201107140423 2011-07-14 0.03 -
    Authentium 5.1.1 201108130656 2011-08-13 2.29 -
    AVAST! 4.7.4 110813-0 2011-08-13 0.01 -
    AVG 8.5.850 271.1.1/3831 2011-08-13 0.93 -
    BitDefender 7.90123.8924128 7.38594 2011-08-14 4.86 -
    ClamAV 0.97.1 13434 2011-08-13 0.01 -
    Comodo 5.1 9732 2011-08-13 1.77 -
    CP Secure 1.3.0.5 2011.08.13 2011-08-13 0.04 -
    Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 13.30 -
    F-Prot 4.6.2.117 20110813 2011-08-13 0.80 -
    F-Secure 7.02.73807 2011.08.12.14 2011-08-12 0.19 -
    Fortinet 4.2.257 13.539 2011-08-13 0.20 -
    GData 22.1614 20110814 2011-08-14 0.11 -
    ViRobot 20110813 2011.08.13 2011-08-13 0.37 -
    Ikarus T3.1.32.20.0 2011.08.13.79075 2011-08-13 5.04 -
    JiangMin 13.0.900 2011.08.13 2011-08-13 1.53 -
    Kaspersky 5.5.10 2011.08.13 2011-08-13 0.11 -
    KingSoft 2009.2.5.15 2011.8.13.12 2011-08-13 0.82 -
    McAfee 5400.1158 6437 2011-08-13 10.04 -
    Microsoft 1.7104 2011.08.13 2011-08-13 4.39 -
    NOD32 3.0.21 6363 2011-08-09 0.01 -
    Norman 6.07.10 6.07.00 2011-08-13 14.02 -
    Panda 9.05.01 2011.08.12 2011-08-12 4.58 -
    Trend Micro 9.200-1012 8.352.04 2011-08-13 0.04 -
    Quick Heal 11.00 2011.08.13 2011-08-13 1.34 -
    Rising 20.0 23.70.04.03 2011-08-12 2.22 -
    Sophos 3.22.0 4.68 2011-08-13 3.89 -
    Sunbelt 3.9.2497.2 10150 2011-08-12 0.80 -
    Symantec 1.3.0.24 20110812.004 2011-08-12 0.08 -
    nProtect 20110803.04 12178473 2011-08-03 1.16 -
    The Hacker 6.7.0.1 v00276 2011-08-12 0.47 -
    VBA32 3.12.16.4 20110813.0829 2011-08-13 4.29 -
    VirusBuster 5.3.0.4 14.0.167.0/58594752011-08-13 0.00 -


    ----------------------


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7465

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    8/14/2011 12:52:06 PM
    mbam-log-2011-08-14 (12-52-06).txt

    Scan type: Quick scan
    Objects scanned: 188691
    Time elapsed: 22 minute(s), 56 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    c:\Windows\system\svchost.exe (Backdoor.Bot) -> 4812 -> Failed to unload process.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


    -----------------------------



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-14 13:03:34
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0
    Running: og89d5k6.exe; Driver: C:\Users\Nick\AppData\Local\Temp\pwldqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    -------------------------------

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Nick at 13:07:06 on 2011-08-14
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.783 [GMT -4:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
    SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k termfsc
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
    C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
    C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system\svchost.exe -k NetworkService
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uStart Page = hxxp://google.com/
    uSearch Bar =
    mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [conhost] c:\users\nick\appdata\roaming\microsoft\conhost.exe
    uRun: [Google Update] "c:\users\nick\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Skytel] Skytel.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MRT] "c:\windows\system32\MRT.exe" /R
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    dRun: [1653478294] c:\windows\system32\config\systemprofile\appdata\local\yje.exe
    mExplorerRun: [Cvke] rundll32
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-explorer: HideSCAHealth = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{8759A705-0244-4C76-8348-39B7AE2DC4DC} : DhcpNameServer = 192.168.0.1
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    Notify: mujiano - c:\windows\system32\config\systemprofile\appdata\local\mujiano.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\6633dest.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56343
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\picasa2\npPicasa3.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\nick\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-17 64288]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
    R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-12-23 20384]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-13 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-13 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-13 66616]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-8 366640]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-20 88176]
    R2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfsc [2008-1-20 21504]
    R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-8 22712]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 2151640]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe --> c:\program files\jumpstart\jswpsapi.exe [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-8 41272]
    S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2011-08-14 16:58:50 7680 ----a-w- c:\windows\system\svchost.exe
    2011-08-13 20:38:19 -------- d-----w- c:\users\nick\appdata\roaming\Avira
    2011-08-13 20:23:35 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-13 20:23:32 -------- d-----w- c:\programdata\Avira
    2011-08-13 20:23:32 -------- d-----w- c:\program files\Avira
    2011-08-13 01:23:30 -------- d-----w- C:\HijackThis
    2011-08-10 01:51:07 -------- d-----w- C:\Hostsxpert
    2011-08-10 01:37:07 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-08-10 01:37:05 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-10 01:36:49 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-08-10 01:35:31 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 01:35:31 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 01:34:53 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-08-09 15:13:52 218624 ----a-w- c:\windows\system32\terdsw32.dll
    2011-08-09 03:10:00 -------- d-----w- c:\users\nick\appdata\roaming\Malwarebytes
    2011-08-09 03:09:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-09 03:09:55 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-09 03:09:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-09 03:09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-06 00:05:59 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{716400d7-366a-4fb4-8f93-8c2adec73639}\mpengine.dll
    2011-07-20 20:08:47 466944 ----a-w- c:\program files\mozilla firefox\plugins\NPcol400.dll
    2011-07-20 20:08:45 -------- d-----w- c:\users\nick\appdata\roaming\Catalina Marketing Corp
    2011-07-20 20:08:42 489672 ----a-w- c:\users\nick\appdata\roaming\microsoft\windows\start menu\programs\catalina marketing corp\UninstallCouponActivator.exe
    2011-07-19 18:36:00 -------- d-----w- c:\programdata\HP Photo Creations
    2011-07-19 18:36:00 -------- d-----w- c:\program files\HP Photo Creations
    2011-07-19 18:35:45 -------- d-----w- c:\program files\Coupons
    2011-07-19 18:34:43 -------- d-----w- c:\users\nick\appdata\roaming\HpUpdate
    2011-07-19 18:30:58 -------- d-----w- c:\program files\HP
    2011-07-19 18:30:19 -------- d-----w- c:\users\nick\appdata\local\HP
    .
    ==================== Find3M ====================
    .
    2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-06-30 07:32:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-22 00:07:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-03 02:34:50 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 13:09:07.36 ===============


    ---------------------------
     
  12. notoriousnick

    notoriousnick TS Rookie Topic Starter

    part 2

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/23/2008 1:43:29 AM
    System Uptime: 8/14/2011 12:54:09 PM (1 hours ago)
    .
    Motherboard: TOSHIBA | | Portable PC
    Processor: Genuine Intel(R) CPU 585 @ 2.16GHz | CPU | 1080/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 140 GiB total, 76.673 GiB free.
    D: is CDROM (UDF)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    2007 Microsoft Office system
    Acrobat.com
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.5
    Any Video Converter 3.1.7
    Apple Software Update
    Atheros Driver Installation Program
    Atheros Wi-Fi Protected Setup Library
    Avira AntiVir Personal - Free Antivirus
    CD/DVD Drive Acoustic Silencer
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Citrix online plug-in - web
    Citrix online plug-in (DV)
    Citrix online plug-in (HDX)
    Citrix online plug-in (USB)
    Citrix online plug-in (Web)
    Coupon Printer for Windows
    DVD MovieFactory for TOSHIBA
    Google Chrome
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet 1000 J110 series Basic Device Software
    HP Deskjet 1000 J110 series Help
    HP Deskjet 1000 J110 series Product Improvement Study
    HP Photo Creations
    HP Update
    InfraRecorder
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 6
    Logitech Audio Echo Cancellation Component
    Logitech Video Enumerator
    Malwarebytes' Anti-Malware version 1.51.1.1800
    McAfee SiteAdvisor
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft XML Parser
    mIRC
    Mozilla Firefox (3.6.16)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.1
    Picasa 3
    PrimoPDF -- by Nitro PDF Software
    QuickBooks Financial Center
    QuickTime
    RealPlayer
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    RealUpgrade 1.0
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    SimCity™ Societies
    Spelling Dictionaries Support For Adobe Reader 9
    Switch Sound File Converter
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Desktop Links
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Hardware Setup
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA Service Station
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    UMVPLStandalone
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WildTangent Games
    Windows Media Encoder 9 Series
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/9/2011 9:32:45 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume SQ004890V03.
    8/9/2011 11:13:53 AM, Error: Service Control Manager [7030] - The Remote Desktop Services service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    8/9/2011 11:08:22 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/9/2011 11:08:21 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    8/9/2011 11:06:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    8/9/2011 11:03:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: voynu
    8/9/2011 11:00:13 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
    8/9/2011 11:00:13 AM, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/9/2011 11:00:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
    8/8/2011 8:35:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
    8/8/2011 8:16:20 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
    8/8/2011 8:12:02 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/8/2011 7:19:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ctxusbm DfsC jswpslwf NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    8/8/2011 7:19:34 PM, Error: EventLog [6008] - The previous system shutdown at 7:18:07 PM on 8/8/2011 was unexpected.
    8/8/2011 7:11:28 PM, Error: EventLog [6008] - The previous system shutdown at 7:10:07 PM on 8/8/2011 was unexpected.
    8/8/2011 5:32:13 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.
    8/8/2011 2:42:29 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
    8/8/2011 11:55:29 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Nick-PC\Nick SID (S-1-5-21-71685524-1126486158-3962871672-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    8/8/2011 11:54:33 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Nick-PC\Nick SID (S-1-5-21-71685524-1126486158-3962871672-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    8/8/2011 11:39:06 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    8/8/2011 11:37:13 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    8/8/2011 11:03:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    8/8/2011 10:49:26 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
    8/8/2011 10:49:11 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 ctxusbm spldr Wanarpv6
    8/8/2011 10:49:01 PM, Error: EventLog [6008] - The previous system shutdown at 10:37:59 PM on 8/8/2011 was unexpected.
    8/14/2011 7:47:51 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    8/14/2011 7:22:29 AM, Error: EventLog [6008] - The previous system shutdown at 7:20:20 AM on 8/14/2011 was unexpected.
    8/14/2011 7:20:28 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    8/14/2011 12:56:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ceangn voynu
    8/14/2011 12:56:09 PM, Error: Service Control Manager [7000] - The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.
    8/14/2011 12:56:09 PM, Error: Service Control Manager [7000] - The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.
    8/14/2011 12:14:23 PM, Error: EventLog [6008] - The previous system shutdown at 12:13:03 PM on 8/14/2011 was unexpected.
    8/13/2011 8:03:25 AM, Error: EventLog [6008] - The previous system shutdown at 8:01:25 AM on 8/13/2011 was unexpected.
    8/13/2011 6:11:48 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    8/13/2011 6:11:42 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    8/13/2011 6:11:42 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    8/13/2011 4:38:51 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/13/2011 4:38:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    8/13/2011 2:46:14 PM, Error: EventLog [6008] - The previous system shutdown at 2:43:59 PM on 8/13/2011 was unexpected.
    8/12/2011 12:51:56 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {D21ED08F-6B88-45EC-A71C-6BD453B561D0}. The error: "740" Happened while starting this command: "C:\Windows\system32\Adobe\Director\SwDnld.exe" -Embedding
    8/12/2011 10:11:47 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
    8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    8/11/2011 10:39:17 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:39:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    8/11/2011 10:38:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    8/11/2011 10:37:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    8/11/2011 10:37:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    8/11/2011 10:37:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/11/2011 10:37:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ceangn ctxusbm DfsC jswpslwf NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx voynu Wanarpv6
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2011 1:40:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
    .
    ==== End Of File ===========================


    ----------------------------


    Here are the results of the Eset Scan:

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\corp0.gif a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    For the Eset entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    Uninstall this outdated version of Java: Java(TM) 6 Update 6. You have the current version, but the old program is a vulnerability. When that uninstall is finished:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  14. notoriousnick

    notoriousnick TS Rookie Topic Starter

    OTM:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Mandy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 373795 bytes
    ->Java cache emptied: 73843045 bytes
    ->FireFox cache emptied: 125804945 bytes
    ->Flash cache emptied: 487 bytes

    User: Nick
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 338661629 bytes
    ->Java cache emptied: 74618781 bytes
    ->FireFox cache emptied: 96245438 bytes
    ->Google Chrome cache emptied: 7582866 bytes
    ->Flash cache emptied: 1925617 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50326703 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 3708 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 734.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 08202011_190437

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    -------------------------------

    Combofix:

    ComboFix 11-08-20.01 - Nick 08/20/2011 18:24:16.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.842 [GMT -4:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Mandy\AppData\Roaming\3B14.BF9
    c:\users\Nick\AppData\Roaming\3B14.BF9
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\system\svchost.exe
    c:\windows\system32\no
    c:\windows\system32\no\toscdspd.cpl.mui
    c:\windows\system32\SV
    c:\windows\system32\SV\toscdspd.cpl.mui
    .
    c:\windows\system32\user32.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-20 22:40 . 2011-08-20 22:45 -------- d-----w- c:\users\Nick\AppData\Local\temp
    2011-08-20 22:40 . 2011-08-20 22:40 -------- d-----w- c:\users\Mandy\AppData\Local\temp
    2011-08-20 22:40 . 2011-08-20 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
    2011-08-14 17:20 . 2011-08-14 17:20 -------- d-----w- c:\program files\ESET
    2011-08-13 20:38 . 2011-08-13 20:38 -------- d-----w- c:\users\Nick\AppData\Roaming\Avira
    2011-08-13 20:23 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-13 20:23 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\programdata\Avira
    2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\program files\Avira
    2011-08-13 01:23 . 2011-08-13 01:29 -------- d-----w- C:\HijackThis
    2011-08-10 01:51 . 2011-08-10 01:51 -------- d-----w- C:\Hostsxpert
    2011-08-10 01:37 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-08-10 01:37 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-10 01:36 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-08-10 01:35 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 01:35 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 01:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-08-09 15:13 . 2011-08-09 15:13 218624 ----a-w- c:\windows\system32\terdsw32.dll
    2011-08-09 03:10 . 2011-08-09 03:10 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
    2011-08-09 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-09 03:09 . 2011-08-09 03:09 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-09 03:09 . 2011-08-11 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-09 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-08 20:54 . 2011-08-08 20:54 -------- d-----w- c:\windows\Sun
    2011-08-06 00:05 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-20 22:47 . 2011-08-20 22:47 7680 ----a-w- c:\windows\system\svchost.exe
    2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-06-03 02:34 . 2009-08-06 03:45 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-06-02 13:34 . 2011-07-13 19:40 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-05-24 23:14 . 2009-10-03 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe
    2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "MRT"="c:\windows\system32\MRT.exe" [2011-08-10 52390856]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    R0 ceangn;ceangn;c:\windows\System32\drivers\qdwqvn.sys [x]
    R0 voynu;voynu;c:\windows\System32\drivers\hdftsi.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
    S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
    S2 TermServices;Remote Desktop Services;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    termfsc REG_MULTI_SZ TermServices
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56343
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-conhost - c:\users\Nick\AppData\Roaming\Microsoft\conhost.exe
    HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
    Notify-mujiano - c:\windows\system32\config\systemprofile\AppData\Local\mujiano.dll
    AddRemove-InfraRecorder - c:\program files\InfraRecorder\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-20 18:45
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(232)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\windows\system32\RacAgent.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-20 18:59:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-20 22:59
    .
    Pre-Run: 81,714,511,872 bytes free
    Post-Run: 82,254,057,472 bytes free
    .
    - - End Of File - - 6F1AF6BEDFB75991F0F35718302AEEF3
  15. notoriousnick

    notoriousnick TS Rookie Topic Starter

    I keep getting a blue screen telling me there is a problem with my computer and it is preparing a data dump, or something like that. It then restarts my computer.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this through the VIRScan for identification:

    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\user32.dll
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    ==================================
    I've got to find out what we're working with. If it's one of the file infectors like Ramnit, Virut or the Sality family, we can't clean that.
    ==================================
    You do have a rootkit: Please run this:
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ===================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      *user32.dll
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===================================
    I'm preparing some script for you to run through Combofix.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please go ahead and do what I asked in my previous post. The results will make a difference in what we do.
  18. notoriousnick

    notoriousnick TS Rookie Topic Starter

    VirSCAN.org Scanned Report :
    Scanned time : 2011/09/01 03:13:41 (CST)
    Scanner results: Scanners did not find malware!
    File Name : user32.dll
    File Size : 627712 byte
    File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
    MD5 : 75510147b94598407666f4802797c75a
    SHA1 : 4c3a421fb6c890a81366fc8b0ba33630bb1ce896
    Online report : http://r.virscan.org/e99c00c3b5c63a476f34ea1da8f645dd

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.3 20110901000251 2011-09-01 0.29 -
    AhnLab V3 2011.08.31.00 2011.08.31 2011-08-31 1.55 -
    AntiVir 8.2.6.50 7.11.14.60 2011-08-31 0.28 -
    Antiy 2.0.18 20110804.11725727 2011-08-04 0.12 -
    Arcavir 2011 201107140423 2011-07-14 2.27 -
    Authentium 5.1.1 201108311452 2011-08-31 2.61 -
    AVAST! 4.7.4 110831-0 2011-08-31 0.05 -
    AVG 8.5.850 271.1.1/3868 2011-08-31 2.57 -
    BitDefender 7.90123.8996735 7.38862 2011-09-01 4.40 -
    ClamAV 0.97.1 13518 2011-08-31 0.01 -
    Comodo 5.1 9945 2011-08-31 1.76 -
    CP Secure 1.3.0.5 2011.08.31 2011-08-31 0.10 -
    Dr.Web 5.0.2.3300 2011.09.01 2011-09-01 14.41 -
    F-Prot 4.6.2.117 20110831 2011-08-31 1.81 -
    F-Secure 7.02.73807 2011.08.31.05 2011-08-31 11.40 -
    Fortinet 4.2.257 14.81 2011-08-31 0.10 -
    GData 22.1855 20110901 2011-09-01 0.11 -
    ViRobot 20110831 2011.08.31 2011-08-31 0.34 -
    Ikarus T3.1.32.20.0 2011.08.31.79236 2011-08-31 4.74 -
    JiangMin 13.0.900 2011.08.31 2011-08-31 1.54 -
    Kaspersky 5.5.10 2011.08.31 2011-08-31 0.12 -
    KingSoft 2009.2.5.15 2011.8.31.18 2011-08-31 0.82 -
    McAfee 5400.1158 6455 2011-08-31 9.69 -
    Microsoft 1.7604 2011.08.31 2011-08-31 3.35 -
    NOD32 3.0.21 6423 2011-08-30 0.00 -
    Norman 6.07.10 6.07.00 2011-08-31 10.01 -
    Panda 9.05.01 2011.08.31 2011-08-31 2.59 -
    Trend Micro 9.200-1012 8.360.11 2011-08-17 0.03 -
    Quick Heal 11.00 2011.08.31 2011-08-31 1.10 -
    Rising 20.0 23.73.01.03 2011-08-30 2.59 -
    Sophos 3.22.0 4.68 2011-09-01 3.88 -
    Sunbelt 3.9.2500.2 10328 2011-08-31 0.66 -
    Symantec 1.3.0.24 20110831.002 2011-08-31 0.06 -
    nProtect 20110831.02 12553780 2011-08-31 1.10 -
    The Hacker 6.7.0.1 v00287 2011-08-31 0.48 -
    VBA32 3.12.16.4 20110831.0853 2011-08-31 4.24 -
    VirusBuster 5.3.0.4 14.0.195.0/60194072011-08-31 0.00 -


    --------------------

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Basic Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L305
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 143):
    0x81E0C000 \SystemRoot\system32\ntkrnlpa.exe
    0x821C6000 \SystemRoot\system32\hal.dll
    0x8668F000 \SystemRoot\system32\kdcom.dll
    0x8040A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047A000 \SystemRoot\system32\PSHED.dll
    0x8048B000 \SystemRoot\system32\BOOTVID.dll
    0x80493000 \SystemRoot\system32\CLFS.SYS
    0x804D4000 \SystemRoot\system32\CI.dll
    0x80608000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x80684000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80691000 \SystemRoot\system32\drivers\acpi.sys
    0x806D7000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806E0000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E8000 \SystemRoot\system32\drivers\pci.sys
    0x8070F000 \SystemRoot\System32\drivers\partmgr.sys
    0x8071E000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80721000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8072B000 \SystemRoot\system32\drivers\volmgr.sys
    0x8073A000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80784000 \SystemRoot\System32\drivers\mountmgr.sys
    0x80794000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x8079B000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x82406000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x824D4000 \SystemRoot\system32\drivers\atapi.sys
    0x824DC000 \SystemRoot\system32\drivers\ataport.SYS
    0x824FA000 \SystemRoot\system32\drivers\msahci.sys
    0x82504000 \SystemRoot\system32\drivers\fltmgr.sys
    0x82536000 \SystemRoot\system32\drivers\fileinfo.sys
    0x82546000 \SystemRoot\system32\DRIVERS\Lbd.sys
    0x82555000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8255E000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x82604000 \SystemRoot\system32\drivers\ndis.sys
    0x8270F000 \SystemRoot\system32\drivers\msrpc.sys
    0x8273A000 \SystemRoot\system32\drivers\NETIO.SYS
    0x87807000 \SystemRoot\System32\drivers\tcpip.sys
    0x878F1000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x87A0A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x87B1A000 \SystemRoot\system32\drivers\volsnap.sys
    0x87B53000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x87B58000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
    0x87B9B000 \SystemRoot\System32\Drivers\spldr.sys
    0x87BA3000 \SystemRoot\System32\Drivers\mup.sys
    0x87BB2000 \SystemRoot\System32\drivers\ecache.sys
    0x87BD9000 \SystemRoot\system32\drivers\disk.sys
    0x8790C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x87BEA000 \SystemRoot\system32\drivers\crcdisk.sys
    0x82775000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x87A00000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x82780000 \SystemRoot\system32\DRIVERS\FwLnk.sys
    0x82788000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x879FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8B60A000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8BCEE000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8BD8E000 \SystemRoot\System32\drivers\watchdog.sys
    0x8BD9A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8BDA5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8BDE3000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8BE06000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8BE93000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8BED4000 \SystemRoot\system32\DRIVERS\athr.sys
    0x8BFBB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8BFCE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x82797000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8BFD9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8BFDB000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8BFE6000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    0x827C7000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x825CF000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x807A9000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8BFF0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x827DF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8BDF2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x805B4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x807EA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x805D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x805EB000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8C20A000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8C21A000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8C21C000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8C246000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C250000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8C25D000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8C292000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8C400000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8C2A3000 \SystemRoot\system32\drivers\portcls.sys
    0x8C2D0000 \SystemRoot\system32\drivers\drmk.sys
    0x8C80F000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0x8C92B000 \SystemRoot\system32\drivers\modem.sys
    0x8C938000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8C941000 \SystemRoot\System32\Drivers\Null.SYS
    0x8C948000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8C94F000 \SystemRoot\System32\drivers\vga.sys
    0x8C95B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8C97C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8C984000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8C98C000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8C997000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8C9A5000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8C9AE000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8C9C4000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8C2F5000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8C327000 \SystemRoot\system32\drivers\afd.sys
    0x8C9D8000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8C9EE000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
    0x8C800000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8C36F000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8C9F3000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x8C382000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8C3BE000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8C3C8000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8C3DF000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
    0x8CA08000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x8CA2F000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x8CA43000 \SystemRoot\system32\DRIVERS\udfs.sys
    0x8CA7E000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x8CA8B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x94A60000 \SystemRoot\System32\win32k.sys
    0x8CB59000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8CB63000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x94C80000 \SystemRoot\System32\TSDDD.dll
    0x94CA0000 \SystemRoot\System32\cdd.dll
    0x8CB72000 \SystemRoot\system32\drivers\luafv.sys
    0x8CB8D000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0x8CBA4000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x8CBB4000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x8CBDE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x8CBE8000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x8792D000 \SystemRoot\system32\drivers\HTTP.sys
    0x8799A000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x879B7000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x879D0000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xAC205000 \SystemRoot\system32\drivers\mrxdav.sys
    0xAC226000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xAC245000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xAC27E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xAC296000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xAC2BE000 \SystemRoot\System32\DRIVERS\srv.sys
    0xAC30D000 \SystemRoot\system32\drivers\peauth.sys
    0xAC3EB000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x8C3F3000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xACA0F000 \SystemRoot\system32\drivers\spsys.sys
    0xACABF000 \??\C:\Windows\system32\drivers\mbam.sys
    0x778F0000 \Windows\System32\ntdll.dll

    Processes (total 85):
    0 System Idle Process
    4 System
    460 C:\Windows\System32\smss.exe
    544 csrss.exe
    588 C:\Windows\System32\wininit.exe
    596 csrss.exe
    624 C:\Windows\System32\winlogon.exe
    676 C:\Windows\System32\services.exe
    688 C:\Windows\System32\lsass.exe
    696 C:\Windows\System32\lsm.exe
    852 C:\Windows\System32\svchost.exe
    908 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    952 C:\Windows\System32\svchost.exe
    988 C:\Windows\System32\svchost.exe
    1112 C:\Windows\System32\svchost.exe
    1128 C:\Windows\System32\svchost.exe
    1208 C:\Windows\System32\audiodg.exe
    1248 C:\Windows\System32\svchost.exe
    1264 C:\Windows\System32\SLsvc.exe
    1300 C:\Windows\System32\svchost.exe
    1436 C:\Windows\System32\svchost.exe
    1556 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    1568 C:\Windows\System32\wlanext.exe
    1692 C:\Windows\System32\spoolsv.exe
    1716 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1728 C:\Windows\System32\svchost.exe
    1884 C:\Windows\System32\agrsmsvc.exe
    1928 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1944 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
    1996 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    312 C:\Program Files\Common Files\Motive\McciCMService.exe
    328 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    512 C:\Windows\System32\svchost.exe
    524 C:\Windows\System32\rundll32.exe
    1160 C:\Windows\System32\svchost.exe
    1416 C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
    1400 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    2076 C:\Windows\System32\TODDSrv.exe
    2100 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    2124 C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
    2332 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    2384 C:\Windows\System32\svchost.exe
    2436 C:\Windows\System32\SearchIndexer.exe
    2540 C:\Windows\System32\taskeng.exe
    2556 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    2572 C:\Windows\System32\dwm.exe
    2612 C:\Windows\explorer.exe
    2848 C:\Windows\System32\hkcmd.exe
    2856 C:\Windows\System32\igfxpers.exe
    2864 C:\Windows\RtHDVCpl.exe
    2872 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    2912 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    3004 C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    3024 C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    3100 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    3132 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    3220 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    3244 C:\Program Files\Citrix\ICA Client\concentr.exe
    3252 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    3308 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3316 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3336 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    3452 C:\Windows\System32\taskeng.exe
    3776 C:\Windows\System32\igfxsrvc.exe
    3860 unsecapp.exe
    3988 WmiPrvSE.exe
    2240 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    1076 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    3216 C:\Windows\System32\igfxext.exe
    3128 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    3568 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    2948 C:\Program Files\Windows Media Player\wmpnscfg.exe
    232 C:\Program Files\Windows Media Player\wmpnetwk.exe
    2692 C:\Windows\System32\svchost.exe
    3924 C:\Windows\System32\Macromed\Flash\FlashUtil10t_ActiveX.exe
    4232 C:\Program Files\Internet Explorer\iexplore.exe
    4304 C:\Program Files\Internet Explorer\iexplore.exe
    5928 C:\Windows\System32\notepad.exe
    4680 taskeng.exe
    840 C:\Windows\System32\SearchProtocolHost.exe
    5792 C:\Windows\System32\SearchFilterHost.exe
    5604 C:\Windows\System32\dllhost.exe
    3600 dllhost.exe
    5136 dllhost.exe
    5496 C:\Users\Nick\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVS-26VAT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61


    Done!


    ----------------------------


    SystemLook 30.07.11 by jpshortstuff
    Log created at 16:16 on 31/08/2011 by Nick
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*user32.dll"
    C:\Windows\ERDNT\cache\user32.dll --a---- 627712 bytes [22:52 20/08/2011] [06:28 11/04/2009] 75510147B94598407666F4802797C75A
    C:\Windows\System32\user32.dll --a---- 627712 bytes [23:53 17/09/2009] [06:28 11/04/2009] 75510147B94598407666F4802797C75A
    C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll --a---- 627200 bytes [02:34 21/01/2008] [02:34 21/01/2008] B974D9F06DC7D1908E825DC201681269
    C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll --a---- 627712 bytes [23:53 17/09/2009] [06:28 11/04/2009] 75510147B94598407666F4802797C75A

    -= EOF =-
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    We need to finish this up- normally I would have closed the thread after 5 days of no reply, but I'm behind on doing that. If you're using the system during these time gaps, then the logs I'm working from will be different.

    1. Please update Combofix and run a new scan.

    2. Please update the Eset Online Virus scan and run a new scan.

    3. Please give me a report on how/what the system is doing-or not doing-at this point

    Logs in next reply as soon as possible.
  20. notoriousnick

    notoriousnick TS Rookie Topic Starter

    ComboFix 11-09-01.03 - Nick 09/01/2011 22:11:01.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.910 [GMT -4:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\bwUnin-7.2.0.157-8876480SL.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Nick\AppData\Local\temp
    2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Mandy\AppData\Local\temp
    2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
    2011-08-14 17:20 . 2011-08-14 17:20 -------- d-----w- c:\program files\ESET
    2011-08-13 20:38 . 2011-08-13 20:38 -------- d-----w- c:\users\Nick\AppData\Roaming\Avira
    2011-08-13 20:23 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-08-13 20:23 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\programdata\Avira
    2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\program files\Avira
    2011-08-13 01:23 . 2011-08-13 01:29 -------- d-----w- C:\HijackThis
    2011-08-10 01:51 . 2011-08-10 01:51 -------- d-----w- C:\Hostsxpert
    2011-08-10 01:37 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-08-10 01:37 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-10 01:36 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-08-10 01:35 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-08-10 01:35 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-08-10 01:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-08-09 03:10 . 2011-08-09 03:10 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
    2011-08-09 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-09 03:09 . 2011-08-09 03:09 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-09 03:09 . 2011-08-11 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-09 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-08 20:54 . 2011-08-08 20:54 -------- d-----w- c:\windows\Sun
    2011-08-06 00:05 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    R0 ceangn;ceangn;c:\windows\System32\drivers\qdwqvn.sys [x]
    R0 voynu;voynu;c:\windows\System32\drivers\hdftsi.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
    S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-08-15 2151640]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    termfsc REG_MULTI_SZ TermServices
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56343
    FF - prefs.js: network.proxy.type - 1
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-01 22:24
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2011-09-01 22:31:40
    ComboFix-quarantined-files.txt 2011-09-02 02:31
    ComboFix2.txt 2011-08-20 22:59
    .
    Pre-Run: 82,966,261,760 bytes free
    Post-Run: 82,950,627,328 bytes free
    .
    - - End Of File - - DE423F9BD900938BA0C63D14F4A40DEE

    ------------------------------
    ESET:

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\corp0.gif a variant of Java/TrojanDownloader.OpenStream.NAZ trojan

    ---------------------------------


    There doesn't seem to be a lot of symptoms with the computer right now, except for one. When we close the laptop, and log back on later, the computer will log on, and then it will almost imediately crash, giving us a blue screen, then restarting.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry- my face is red! The thread turned the page and I didn't!

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    c:\windows\CouponPrinter.ocx
    c:\windows\System32\drivers\qdwqvn.sys
    c:\windows\System32\drivers\hdftsi.sys
    Folder::
    c:\users\Nick\AppData\Local\temp
    c:\users\Mandy\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    Extra::
    Firefox::
    Firefox-: - Profile - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
    Firefox-: prefs.jS - Search.DefaultURL
    Firefox-: prefs.js - Startup.Homepage
    Registry::
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h????????????????? .
    Driver::
    ceangn
    voynu
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    For Eset: Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    I note that you are using MSIE: Internet Explorer v9.00 (9.00.8112.16421) Have you recently upgraded to IEv9?[/b] It's pretty new. Have any of these problems started sine you installed this version?
    =====================================
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ===================================
    Some of the errors in the Event Viewer indicate that some Services might not have their Dependencies running> if the problem continues, I'll have you check for errors that occur when you get the BSOD.
  22. notoriousnick

    notoriousnick TS Rookie Topic Starter

    ComboFix 11-09-13.04 - Nick 09/13/2011 23:42:24.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.978 [GMT -4:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nick\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe"
    "c:\windows\CouponPrinter.ocx"
    "c:\windows\System32\drivers\hdftsi.sys"
    "c:\windows\System32\drivers\qdwqvn.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Default\AppData\Local\temp
    c:\users\Mandy\AppData\Local\temp
    c:\users\Nick\AppData\Local\temp
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.dll
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.xpt
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npMozCouponPrinter.dll
    c:\users\Nick\AppData\Local\temp\CR_B29C0.tmp\SETUP_PATCH.PACKED.7Z
    c:\users\Nick\AppData\Local\temp\HP\AtStatus\hpinksts8811lm.log
    c:\users\Nick\AppData\Local\temp\Low\_rf.log
    c:\users\Nick\AppData\Local\temp\Low\Cab4FE4.tmp
    c:\users\Nick\AppData\Local\temp\Low\cpnprt2.cid
    c:\users\Nick\AppData\Local\temp\Low\Tar4FE5.tmp
    c:\users\Nick\AppData\Local\temp\outlook logging\firstrun.log
    c:\users\Nick\AppData\Local\temp\sv3fl.tmp\sv3hi.tmp
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\file_id.diz
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\readme.txt
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\setup.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ceangn
    -------\Service_voynu
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-14 03:58 . 2011-09-14 04:01 -------- d-----w- c:\users\Nick\AppData\Local\Temp
    2011-09-06 01:30 . 2011-09-06 01:30 -------- d-----w- c:\programdata\RoboForm
    2011-09-06 01:29 . 2011-09-06 01:29 -------- d-----w- c:\program files\Siber Systems
    2011-09-05 02:23 . 2007-02-19 03:09 122552 ----a-w- c:\windows\system32\ieuihandler.dll
    2011-09-05 02:23 . 2011-09-05 02:23 -------- d-----w- c:\program files\IE AutoFill
    2011-08-23 17:06 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-22 02:54 . 2011-08-10 07:19 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-07-22 02:48 . 2011-08-10 07:19 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-07-22 02:44 . 2011-08-10 07:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-21 16:15 . 2011-08-13 20:23 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-21 16:15 . 2011-08-13 20:23 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    2011-07-13 03:39 . 2011-08-06 00:05 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
    2011-07-06 23:52 . 2011-08-09 03:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2011-08-09 03:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 15:31 . 2011-08-10 01:37 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 08:54 . 2011-08-10 01:35 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-06-20 08:54 . 2011-08-10 01:35 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-06-17 20:13 . 2011-08-10 01:34 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-06-17 16:03 . 2011-08-10 01:37 375808 ----a-w- c:\windows\system32\winsrv.dll
    2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-06 107000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
    S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    termfsc REG_MULTI_SZ TermServices
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: {{3AE521FE-D4E4-4404-AD15-A8414FFC467B} - {3AE521FE-D4E4-4404-AD15-A8414FFC467B} - c:\program files\IE AutoFill\ieautofill.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56343
    FF - prefs.js: network.proxy.type - 1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-14 00:00
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Toshiba\ConfigFree\NDSTray.exe
    c:\program files\Windows Media Player\wmpnscfg.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\windows\system32\igfxext.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-14 00:12:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-14 04:12
    ComboFix2.txt 2011-09-02 02:31
    ComboFix3.txt 2011-08-20 22:59
    .
    Pre-Run: 83,176,636,416 bytes free
    Post-Run: 83,010,514,944 bytes free
    .
    - - End Of File - - 3CD70561F68228AFCC3E6A7BA9867B99

    -------------------------------------------

    All processes killed
    ========== FILES ==========
    File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Mandy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Nick
    ->Temp folder emptied: 516335 bytes
    ->Temporary Internet Files folder emptied: 277383864 bytes
    ->Java cache emptied: 1160504 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 16110 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3428 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 194611 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 266.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09152011_210400

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    -----------------------------------------------------

    Couldn't uncheck "use a proxy server for LAN" because it was never checked.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    This is recurring Exploit. Please check the information on this Microsoft Site.
    If you do not have this updater on the system, please get it.
    ====================================
    About the reboot: Force it if you have to so you can check the time it happens on the computer clock. Errors in the Event Viewer are time coded, so you will look for any error in either System or Apps that corresponds to the reboot:

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 10 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)
  24. notoriousnick

    notoriousnick TS Rookie Topic Starter

    All processes killed
    ========== FILES ==========
    File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Mandy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Nick
    ->Temp folder emptied: 20163666 bytes
    ->Temporary Internet Files folder emptied: 210340738 bytes
    ->Java cache emptied: 437336 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 6819 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21713 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33237 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 711201 bytes

    Total Files Cleaned = 221.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 10032011_210546

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    ------------------------------

    I believe the last BSOD was 10/03/11 @ 2:17

    Vino's Event Viewer v01c run on Windows Vista in English
    Report run at 03/10/2011 10:08:06 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 04/10/2011 1:44:30 AM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 8210 Source: System Restore
    The scheduled restore point could not be created. Additional information: (0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 8193 Source: System Restore
    Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 16387 Source: SPP
    Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

    Log: 'Application' Date/Time: 03/10/2011 9:07:41 PM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 2:30:56 PM
    Type: Error Category: 100
    Event: 1000 Source: Application Error
    Faulting application iexplore.exe, version 9.0.8112.16421, time stamp 0x4d76255d, faulting module tbCoup.dll, version 6.6.0.19, time stamp 0x4e5df640, exception code 0xc0000005, fault offset 0x002d1c28, process id 0xea0, application start time 0x01cc81d830fd00e0.

    Log: 'Application' Date/Time: 03/10/2011 2:17:15 PM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 8210 Source: System Restore
    The scheduled restore point could not be created. Additional information: (0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 8193 Source: System Restore
    Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 16387 Source: SPP
    Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 25/08/2011 1:59:12 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 22/08/2011 2:48:57 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 13/08/2011 6:45:57 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 13/08/2011 12:03:04 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 09/08/2011 2:48:38 AM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 24/06/2011 7:36:43 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 19/06/2011 9:46:42 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 15/06/2011 4:10:38 AM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 24/03/2011 11:59:15 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 10/03/2011 6:54:04 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 04/10/2011 1:05:47 AM
    Type: Error Category: 0
    Event: 7031 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

    Log: 'System' Date/Time: 04/10/2011 12:49:35 AM
    Type: Error Category: 0
    Event: 10000 Source: Microsoft-Windows-DistributedCOM
    Unable to start a DCOM Server: {D21ED08F-6B88-45EC-A71C-6BD453B561D0}. The error: "740" Happened while starting this command: "C:\Windows\system32\Adobe\Director\SwDnld.exe" -Embedding

    Log: 'System' Date/Time: 03/10/2011 9:09:19 PM
    Type: Error Category: 0
    Event: 6161 Source: Microsoft-Windows-PrintSpooler
    The document CouponNetwork Coupon, owned by Nick, failed to print on printer HP Deskjet 1000 J110 series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 3066592. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\NICK-PC. Win32 error code returned by the print processor: 6. The handle is invalid.

    Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 9:06:41 PM
    Type: Error Category: 0
    Event: 6008 Source: EventLog
    The previous system shutdown at 5:05:09 PM on 10/3/2011 was unexpected.

    Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, as you probably know, these are Services related to the Logitech Webcam:

    If you are still using this webcam:
    Uninstall the software you have now.
    Download the latest version.
    Do NOT put the entries on the Startup Menu
    Make sure the services are set to Manual, not Automatic:

    Per bleepingcomputer:

    LVSrvLauncher- there is no know description for this Service.

    LVPrcSrv
    Service Display Name: Logitech Process Monitor
    Part of the Logitech QuickCam software and used for the Video Effects options. This topic states that disabling this process has no affect on the webcam other than not being able to use the Video Effects feature
    --------------------
    Click on Start> Run> type in services.msc[/b[> enter> find each of the 2 Services> double click on each> set Startup type to Manual> Stop the Service.
    ==============================
    If you do not use this any longer:
    Uninstall in Add/Remove Programs in the Control Panel
    Use Windows Explorer t access Local Drive> Programs> do a right click> Delete on each Logitech folder.
    Check and make sure no entries for it are on the Startup menu.

    Both of these files show missing in the HijackThis log you ran, but that does not always mean the file is actually missing.
    ================================
    How is the system doing otherwise?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.