Inactive Can't open .exe files and Google search results redirected

notoriousnick

Posts: 14   +0
So when I try to open .exe files it brings up a window asking what program I want to use to open the file. This means I can't run malwarebytes, hijackthis, etc. Also, when I use google/yahoo, clicking on a google search result will redirect me to a spam site. Please help!
 
Welcome to TechSpot! That leaves you in a bad place! Let's try and get around it:

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.pif
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Save the logs from the above and paste in your next reply. See if the programs will run now.
====================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
exeHelper by Raktor
Build 20100414
Run at 12:01:45 on 08/11/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
exeHelper by Raktor
Build 20100414
Run at 12:04:43 on 08/11/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Also, for future reference I am using Vista Basic. Also, I am able to run Hijack this when I run it as administrator. Here is the log from hijack this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:31 AM, on 8/11/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Windows\System32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [conhost] C:\Users\Nick\AppData\Roaming\Microsoft\conhost.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [Cvke] rundll32 "C:\Windows\system32\winrssrvt.dll",bygfn
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, avgrsstx.dll
O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9309 bytes
 
You're welcome! Try the scans again first. When finished, go to next step.
==============================
Show Hidden Folders/Files
  • Open My Computer.
    [*] Go to Tools > Folder Options.
    [*] Select the View tab.
    [*] Scroll down to Hidden files and folders.
    [*] Select Show hidden files and folders.
    [*] Uncheck Hide extensions of known file types.
    [*] Uncheck Hide protected operating system files (Recommended).
    [*] Click Yes when prompted.
    [*] Click OK.
    [*] Close My Computer.

-----------------------------
Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

    Code:
    C:\Windows\system32\config\systemprofile\AppData\Local\[B]mujiano.dl[/B]l
    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.

Please go back to Folder Options and recheck 'don't show hidden files and folders' and recheck 'hide protected system files & folders (recommended)> Apply> OK.
============================
Then do the following: But be warned that I tend to get grumpy when someone I'm helping runs a program I haven't instructed them to run! You have run an outdated version of HijackThis.

Delete this version of HJT. Delete the log. Reboot the computer.

Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.. Save that log
>>>> It will be used in next step.
-----------------------
Please reopen HijackThis to 'do system scan only.'. Check each of the following if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe


Close all Windows except HijackThis and click om "Fix Checked."
----------------------------------------
Run this removal tool for AVG: AVG Remover:32bit
======================================
Logs: Post logs if you have been able to run any of the scans.
Post the HJT log after you have run the removals.
No log for AVG Remover.
 
Whn trying to open this file: C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll it says I don't have permission to open the file. I tried changing the file permission to give me full access, but it didn't work.
 
Forget about this file. I'll remove it. Were you able to run any of the scans? If so, I need the logs.
 
I couldn't run online scan.
I ran hijackthis and removed the requested files.
I ran avg remover and removed avg.
Here is the scan from hijackthis, from before I removed the reqested files:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:25:26 PM, on 8/12/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:56343
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MRT] "C:\Windows\system32\MRT.exe" /R
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [conhost] C:\Users\Nick\AppData\Roaming\Microsoft\conhost.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [Cvke] rundll32 "C:\Windows\system32\winrssrvt.dll",bygfn
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [1653478294] C:\Windows\system32\config\systemprofile\AppData\Local\yje.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL, avgrsstx.dll
O20 - Winlogon Notify: mujiano - C:\Windows\system32\config\systemprofile\AppData\Local\mujiano.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8972 bytes

Also, while I've got you, malwarebytes keeps stopping a process from running called: backdoorbot, file location: C:\\Windows\system\svchost.exe.

I didn't run a scan with it, the warning just popped up.
 
I couldn't run online scan.

So you're getting Backdoor.bot stopping Mbam> That is not a good thins. And you can't ID the process in the first Virscan. You do have online access- right?

If so, let's try this:
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org free on-line scan service
  • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

    c:\windows\system32\userinit.exe

    c:\windows\explorer.exe

    c:\window\system32\svchost.exe


  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
=========================================
I ran avg remover and removed avg.

It doesn't look like you replced it with one of the other AV indicated at the end of the App Remover. It looks like McAfee is only being used as a Site Advisor- it that correct? You need to have some AV protection on the system.

So far I have nothing but HJT logs and that's not enough to work with. Here is the full preliminary list of steps:

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Can you do any of this?
I'd also like to run an online virus scan- see if you can do that:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================================
If you have malware such as Ramnit, Sality or Virus, there is no point in going on as they are not curable and I would then recomment a reformat/reinstall.
 
part 1

Avira was run, and removed 2 threats.

-------------------------------------

The option to rescan wasn't available for the first file, but it was for the second two. So the second two were rescanned.

VirSCAN.org Scanned Report :
Scanned time : 2008/11/22 15:14:37 (CST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 25088 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e135526e9785d085bcd9aede6fbcbf9
SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
Online report : http://r.virscan.org/ffba0ea65ad66c031826c60a3d422b2d

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.26 20081122063100 2008-11-22 4.20 -
AhnLab V3 2008.11.22.00 2008.11.22 2008-11-22 1.04 -
AntiVir 7.9.0.35 7.1.0.122 2008-11-21 1.55 -
Antiy 2.0.18 20081122.1722967 2008-11-22 0.12 -
Arcavir 1.0.5 200811211356 2008-11-21 1.22 -
Authentium 5.1.1 200811212255 2008-11-21 1.09 -
AVAST! 3.0.1 081121-0 2008-11-21 0.01 -
AVG 7.5.52.442 270.9.9/1804 2008-11-21 1.73 -
BitDefender 7.81008.2247023 7.22006 2008-11-22 2.06 -
CA (VET) 9.0.0.143 31.6.6222 2008-11-22 5.37 -
ClamAV 0.94.1 8661 2008-11-21 0.01 -
Comodo 2.11 2.0.0.712 2008-11-20 0.39 -
CP Secure 1.1.0.715 2008.11.22 2008-11-22 6.42 -
Dr.Web 4.44.0.9170 2008.11.22 2008-11-22 3.56 -
ewido 4.0.0.2 2008.11.21 2008-11-21 6.75 -
F-Prot 4.4.4.56 20081121 2008-11-21 1.08 -
F-Secure 5.51.6100 2008.11.22.02 2008-11-22 0.04 -
Fortinet 2.81-3.117 9.731 2008-11-21 0.34 -
GData 19.1621/19.116 20081122 2008-11-22 3.48 -
ViRobot 20081121 2008.11.21 2008-11-21 0.41 -
Ikarus T3.1.01.45 2008.11.22.71896 2008-11-22 3.94 -
JiangMin 11.0.706 2008.11.22 2008-11-22 1.39 -
Kaspersky 5.5.10 2008.11.22 2008-11-22 0.04 -
KingSoft 2008.9.8.18 2008.11.22.15 2008-11-22 0.79 -
McAfee 5.3.00 5441 2008-11-21 2.53 -
Microsoft 1.4104 2008.11.21 2008-11-21 5.77 -
mks_vir 2.01 2008.11.17 2008-11-17 2.69 -
Norman 5.93.01 5.93.00 2008-11-21 5.71 -
Panda 9.05.01 2008.11.21 2008-11-21 2.96 -
Trend Micro 8.700-1004 5.670.01 2008-11-21 0.03 -
Quick Heal 10.00 2008.11.21 2008-11-21 0.85 -
Rising 20.0 21.04.50.00 2008-11-22 0.78 -
Sophos 2.80.0 4.35 2008-11-22 2.03 -
Sunbelt 4474 4474 2008-11-04 0.50 -
Symantec 1.3.0.24 20081121.003 2008-11-21 2.02 -
nProtect 2008-11-21.03 2625860 2008-11-21 3.10 -
The Hacker 6.3.1.1 v00159 2008-11-19 0.45 -
VBA32 3.12.8.9 20081121.1440 2008-11-21 1.45 -
VirusBuster 4.5.11.10 10.94.1/715510 2008-11-21 0.93 -



-----------------------------


VirSCAN.org Scanned Report :
Scanned time : 2011/08/14 03:01:34 (CST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2926592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d07d4c3038f3578ffce1c0237f2a1253
SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
Online report : http://r.virscan.org/44f45cc1ce2d5deca4c891d776784e6e

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110812180754 2011-08-12 0.36 -
AhnLab V3 2011.08.14.00 2011.08.14 2011-08-14 1.96 -
AntiVir 8.2.6.30 7.11.13.37 2011-08-12 0.30 -
Antiy 2.0.18 20110804.11725727 2011-08-04 0.02 -
Arcavir 2011 201107140423 2011-07-14 0.06 -
Authentium 5.1.1 201108130656 2011-08-13 1.54 -
AVAST! 4.7.4 110813-0 2011-08-13 0.14 -
AVG 8.5.850 271.1.1/3831 2011-08-13 0.25 -
BitDefender 7.90123.8924128 7.38594 2011-08-14 4.32 -
ClamAV 0.97.1 13434 2011-08-13 0.36 -
Comodo 5.1 9732 2011-08-13 1.85 -
CP Secure 1.3.0.5 2011.08.13 2011-08-13 0.47 -
Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 13.19 -
F-Prot 4.6.2.117 20110813 2011-08-13 0.78 -
F-Secure 7.02.73807 2011.08.12.14 2011-08-12 0.25 -
Fortinet 4.2.257 13.539 2011-08-13 0.51 -
GData 22.1614 20110814 2011-08-14 0.11 -
ViRobot 20110813 2011.08.13 2011-08-13 0.37 -
Ikarus T3.1.32.20.0 2011.08.13.79075 2011-08-13 4.96 -
JiangMin 13.0.900 2011.08.13 2011-08-13 1.81 -
Kaspersky 5.5.10 2011.08.13 2011-08-13 0.12 -
KingSoft 2009.2.5.15 2011.8.13.12 2011-08-13 0.86 -
McAfee 5400.1158 6437 2011-08-13 9.44 -
Microsoft 1.7104 2011.08.13 2011-08-13 3.78 -
NOD32 3.0.21 6363 2011-08-09 0.22 -
Norman 6.07.10 6.07.00 2011-08-13 12.02 -
Panda 9.05.01 2011.08.12 2011-08-12 4.88 -
Trend Micro 9.200-1012 8.352.04 2011-08-13 0.04 -
Quick Heal 11.00 2011.08.13 2011-08-13 1.94 -
Rising 20.0 23.70.04.03 2011-08-12 2.56 -
Sophos 3.22.0 4.68 2011-08-13 3.73 -
Sunbelt 3.9.2497.2 10150 2011-08-12 0.74 -
Symantec 1.3.0.24 20110812.004 2011-08-12 0.19 -
nProtect 20110803.04 12178473 2011-08-03 1.15 -
The Hacker 6.7.0.1 v00276 2011-08-12 0.51 -
VBA32 3.12.16.4 20110813.0829 2011-08-13 3.97 -
VirusBuster 5.3.0.4 14.0.167.0/58594752011-08-13 0.00 -



-------------------------

VirSCAN.org Scanned Report :
Scanned time : 2011/08/14 03:06:16 (CST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 21504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3794b461c45882e06856f282eef025af
SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
Online report : http://r.virscan.org/694c8d9f534f89ba5fd0a851bb42ee63

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110812180754 2011-08-12 0.33 -
AhnLab V3 2011.08.14.00 2011.08.14 2011-08-14 1.73 -
AntiVir 8.2.6.30 7.11.13.37 2011-08-12 0.56 -
Antiy 2.0.18 20110804.11725727 2011-08-04 0.02 -
Arcavir 2011 201107140423 2011-07-14 0.03 -
Authentium 5.1.1 201108130656 2011-08-13 2.29 -
AVAST! 4.7.4 110813-0 2011-08-13 0.01 -
AVG 8.5.850 271.1.1/3831 2011-08-13 0.93 -
BitDefender 7.90123.8924128 7.38594 2011-08-14 4.86 -
ClamAV 0.97.1 13434 2011-08-13 0.01 -
Comodo 5.1 9732 2011-08-13 1.77 -
CP Secure 1.3.0.5 2011.08.13 2011-08-13 0.04 -
Dr.Web 5.0.2.3300 2011.07.23 2011-07-23 13.30 -
F-Prot 4.6.2.117 20110813 2011-08-13 0.80 -
F-Secure 7.02.73807 2011.08.12.14 2011-08-12 0.19 -
Fortinet 4.2.257 13.539 2011-08-13 0.20 -
GData 22.1614 20110814 2011-08-14 0.11 -
ViRobot 20110813 2011.08.13 2011-08-13 0.37 -
Ikarus T3.1.32.20.0 2011.08.13.79075 2011-08-13 5.04 -
JiangMin 13.0.900 2011.08.13 2011-08-13 1.53 -
Kaspersky 5.5.10 2011.08.13 2011-08-13 0.11 -
KingSoft 2009.2.5.15 2011.8.13.12 2011-08-13 0.82 -
McAfee 5400.1158 6437 2011-08-13 10.04 -
Microsoft 1.7104 2011.08.13 2011-08-13 4.39 -
NOD32 3.0.21 6363 2011-08-09 0.01 -
Norman 6.07.10 6.07.00 2011-08-13 14.02 -
Panda 9.05.01 2011.08.12 2011-08-12 4.58 -
Trend Micro 9.200-1012 8.352.04 2011-08-13 0.04 -
Quick Heal 11.00 2011.08.13 2011-08-13 1.34 -
Rising 20.0 23.70.04.03 2011-08-12 2.22 -
Sophos 3.22.0 4.68 2011-08-13 3.89 -
Sunbelt 3.9.2497.2 10150 2011-08-12 0.80 -
Symantec 1.3.0.24 20110812.004 2011-08-12 0.08 -
nProtect 20110803.04 12178473 2011-08-03 1.16 -
The Hacker 6.7.0.1 v00276 2011-08-12 0.47 -
VBA32 3.12.16.4 20110813.0829 2011-08-13 4.29 -
VirusBuster 5.3.0.4 14.0.167.0/58594752011-08-13 0.00 -


----------------------


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7465

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

8/14/2011 12:52:06 PM
mbam-log-2011-08-14 (12-52-06).txt

Scan type: Quick scan
Objects scanned: 188691
Time elapsed: 22 minute(s), 56 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\Windows\system\svchost.exe (Backdoor.Bot) -> 4812 -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


-----------------------------



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-14 13:03:34
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0
Running: og89d5k6.exe; Driver: C:\Users\Nick\AppData\Local\Temp\pwldqpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


-------------------------------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Nick at 13:07:06 on 2011-08-14
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.783 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k termfsc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system\svchost.exe -k NetworkService
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = hxxp://google.com/
uSearch Bar =
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [conhost] c:\users\nick\appdata\roaming\microsoft\conhost.exe
uRun: [Google Update] "c:\users\nick\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [1653478294] c:\windows\system32\config\systemprofile\appdata\local\yje.exe
mExplorerRun: [Cvke] rundll32
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{8759A705-0244-4C76-8348-39B7AE2DC4DC} : DhcpNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: mujiano - c:\windows\system32\config\systemprofile\appdata\local\mujiano.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\6633dest.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56343
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\nick\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-17 64288]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-12-23 20384]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-13 66616]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-8 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-20 88176]
R2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfsc [2008-1-20 21504]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-8 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 2151640]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-7 135664]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe --> c:\program files\jumpstart\jswpsapi.exe [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-8 41272]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-14 16:58:50 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-13 20:38:19 -------- d-----w- c:\users\nick\appdata\roaming\Avira
2011-08-13 20:23:35 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-13 20:23:32 -------- d-----w- c:\programdata\Avira
2011-08-13 20:23:32 -------- d-----w- c:\program files\Avira
2011-08-13 01:23:30 -------- d-----w- C:\HijackThis
2011-08-10 01:51:07 -------- d-----w- C:\Hostsxpert
2011-08-10 01:37:07 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 01:37:05 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 01:36:49 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-10 01:35:31 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 01:35:31 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 01:34:53 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 15:13:52 218624 ----a-w- c:\windows\system32\terdsw32.dll
2011-08-09 03:10:00 -------- d-----w- c:\users\nick\appdata\roaming\Malwarebytes
2011-08-09 03:09:56 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-09 03:09:55 -------- d-----w- c:\programdata\Malwarebytes
2011-08-09 03:09:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-09 03:09:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-06 00:05:59 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{716400d7-366a-4fb4-8f93-8c2adec73639}\mpengine.dll
2011-07-20 20:08:47 466944 ----a-w- c:\program files\mozilla firefox\plugins\NPcol400.dll
2011-07-20 20:08:45 -------- d-----w- c:\users\nick\appdata\roaming\Catalina Marketing Corp
2011-07-20 20:08:42 489672 ----a-w- c:\users\nick\appdata\roaming\microsoft\windows\start menu\programs\catalina marketing corp\UninstallCouponActivator.exe
2011-07-19 18:36:00 -------- d-----w- c:\programdata\HP Photo Creations
2011-07-19 18:36:00 -------- d-----w- c:\program files\HP Photo Creations
2011-07-19 18:35:45 -------- d-----w- c:\program files\Coupons
2011-07-19 18:34:43 -------- d-----w- c:\users\nick\appdata\roaming\HpUpdate
2011-07-19 18:30:58 -------- d-----w- c:\program files\HP
2011-07-19 18:30:19 -------- d-----w- c:\users\nick\appdata\local\HP
.
==================== Find3M ====================
.
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-30 07:32:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-22 00:07:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-03 02:34:50 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 13:09:07.36 ===============


---------------------------
 
part 2

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 12/23/2008 1:43:29 AM
System Uptime: 8/14/2011 12:54:09 PM (1 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Genuine Intel(R) CPU 585 @ 2.16GHz | CPU | 1080/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 140 GiB total, 76.673 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
2007 Microsoft Office system
Acrobat.com
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
Any Video Converter 3.1.7
Apple Software Update
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
Avira AntiVir Personal - Free Antivirus
CD/DVD Drive Acoustic Silencer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Coupon Printer for Windows
DVD MovieFactory for TOSHIBA
Google Chrome
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1000 J110 series Basic Device Software
HP Deskjet 1000 J110 series Help
HP Deskjet 1000 J110 series Product Improvement Study
HP Photo Creations
HP Update
InfraRecorder
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) 6 Update 6
Logitech Audio Echo Cancellation Component
Logitech Video Enumerator
Malwarebytes' Anti-Malware version 1.51.1.1800
McAfee SiteAdvisor
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft XML Parser
mIRC
Mozilla Firefox (3.6.16)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
Picasa 3
PrimoPDF -- by Nitro PDF Software
QuickBooks Financial Center
QuickTime
RealPlayer
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
RealUpgrade 1.0
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
SimCity™ Societies
Spelling Dictionaries Support For Adobe Reader 9
Switch Sound File Converter
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Desktop Links
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
UMVPLStandalone
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2586924)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WildTangent Games
Windows Media Encoder 9 Series
Yahoo! BrowserPlus 2.9.8
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
8/9/2011 9:32:45 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume SQ004890V03.
8/9/2011 11:13:53 AM, Error: Service Control Manager [7030] - The Remote Desktop Services service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/9/2011 11:08:22 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/9/2011 11:08:21 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
8/9/2011 11:06:36 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/9/2011 11:03:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: voynu
8/9/2011 11:00:13 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
8/9/2011 11:00:13 AM, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/9/2011 11:00:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
8/8/2011 8:35:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
8/8/2011 8:16:20 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
8/8/2011 8:12:02 PM, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/8/2011 7:19:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ctxusbm DfsC jswpslwf NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
8/8/2011 7:19:34 PM, Error: EventLog [6008] - The previous system shutdown at 7:18:07 PM on 8/8/2011 was unexpected.
8/8/2011 7:11:28 PM, Error: EventLog [6008] - The previous system shutdown at 7:10:07 PM on 8/8/2011 was unexpected.
8/8/2011 5:32:13 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.
8/8/2011 2:42:29 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
8/8/2011 11:55:29 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Nick-PC\Nick SID (S-1-5-21-71685524-1126486158-3962871672-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
8/8/2011 11:54:33 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Nick-PC\Nick SID (S-1-5-21-71685524-1126486158-3962871672-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
8/8/2011 11:39:06 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
8/8/2011 11:37:13 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
8/8/2011 11:03:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
8/8/2011 10:49:26 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 21
8/8/2011 10:49:11 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 ctxusbm spldr Wanarpv6
8/8/2011 10:49:01 PM, Error: EventLog [6008] - The previous system shutdown at 10:37:59 PM on 8/8/2011 was unexpected.
8/14/2011 7:47:51 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
8/14/2011 7:22:29 AM, Error: EventLog [6008] - The previous system shutdown at 7:20:20 AM on 8/14/2011 was unexpected.
8/14/2011 7:20:28 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
8/14/2011 12:56:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ceangn voynu
8/14/2011 12:56:09 PM, Error: Service Control Manager [7000] - The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.
8/14/2011 12:56:09 PM, Error: Service Control Manager [7000] - The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.
8/14/2011 12:14:23 PM, Error: EventLog [6008] - The previous system shutdown at 12:13:03 PM on 8/14/2011 was unexpected.
8/13/2011 8:03:25 AM, Error: EventLog [6008] - The previous system shutdown at 8:01:25 AM on 8/13/2011 was unexpected.
8/13/2011 6:11:48 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
8/13/2011 6:11:42 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/13/2011 6:11:42 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/13/2011 4:38:51 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/13/2011 4:38:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
8/13/2011 2:46:14 PM, Error: EventLog [6008] - The previous system shutdown at 2:43:59 PM on 8/13/2011 was unexpected.
8/12/2011 12:51:56 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {D21ED08F-6B88-45EC-A71C-6BD453B561D0}. The error: "740" Happened while starting this command: "C:\Windows\system32\Adobe\Director\SwDnld.exe" -Embedding
8/12/2011 10:11:47 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/12/2011 10:11:47 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/11/2011 10:39:17 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:39:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/11/2011 10:38:23 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/11/2011 10:37:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
8/11/2011 10:37:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
8/11/2011 10:37:45 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/11/2011 10:37:37 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/11/2011 10:37:23 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ceangn ctxusbm DfsC jswpslwf NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx voynu Wanarpv6
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/11/2011 10:37:23 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
8/11/2011 1:40:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PlugPlay service.
.
==== End Of File ===========================


----------------------------


Here are the results of the Eset Scan:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\corp0.gif a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
 
For the Eset entry:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
Uninstall this outdated version of Java: Java(TM) 6 Update 6. You have the current version, but the old program is a vulnerability. When that uninstall is finished:
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
=============================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
 
OTM:

All processes killed
========== FILES ==========
File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mandy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 373795 bytes
->Java cache emptied: 73843045 bytes
->FireFox cache emptied: 125804945 bytes
->Flash cache emptied: 487 bytes

User: Nick
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 338661629 bytes
->Java cache emptied: 74618781 bytes
->FireFox cache emptied: 96245438 bytes
->Google Chrome cache emptied: 7582866 bytes
->Flash cache emptied: 1925617 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50326703 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 3708 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 734.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 08202011_190437

Files moved on Reboot...

Registry entries deleted on Reboot...


-------------------------------

Combofix:

ComboFix 11-08-20.01 - Nick 08/20/2011 18:24:16.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.842 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mandy\AppData\Roaming\3B14.BF9
c:\users\Nick\AppData\Roaming\3B14.BF9
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system\svchost.exe
c:\windows\system32\no
c:\windows\system32\no\toscdspd.cpl.mui
c:\windows\system32\SV
c:\windows\system32\SV\toscdspd.cpl.mui
.
c:\windows\system32\user32.dll . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-20 22:40 . 2011-08-20 22:45 -------- d-----w- c:\users\Nick\AppData\Local\temp
2011-08-20 22:40 . 2011-08-20 22:40 -------- d-----w- c:\users\Mandy\AppData\Local\temp
2011-08-20 22:40 . 2011-08-20 22:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
2011-08-14 17:20 . 2011-08-14 17:20 -------- d-----w- c:\program files\ESET
2011-08-13 20:38 . 2011-08-13 20:38 -------- d-----w- c:\users\Nick\AppData\Roaming\Avira
2011-08-13 20:23 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-13 20:23 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\programdata\Avira
2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\program files\Avira
2011-08-13 01:23 . 2011-08-13 01:29 -------- d-----w- C:\HijackThis
2011-08-10 01:51 . 2011-08-10 01:51 -------- d-----w- C:\Hostsxpert
2011-08-10 01:37 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 01:37 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 01:36 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-10 01:35 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 01:35 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 01:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 15:13 . 2011-08-09 15:13 218624 ----a-w- c:\windows\system32\terdsw32.dll
2011-08-09 03:10 . 2011-08-09 03:10 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-08-09 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-09 03:09 . 2011-08-09 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-08-09 03:09 . 2011-08-11 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-09 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-08 20:54 . 2011-08-08 20:54 -------- d-----w- c:\windows\Sun
2011-08-06 00:05 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-20 22:47 . 2011-08-20 22:47 7680 ----a-w- c:\windows\system\svchost.exe
2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-03 02:34 . 2009-08-06 03:45 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-02 13:34 . 2011-07-13 19:40 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 23:14 . 2009-10-03 00:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MRT"="c:\windows\system32\MRT.exe" [2011-08-10 52390856]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R0 ceangn;ceangn;c:\windows\System32\drivers\qdwqvn.sys [x]
R0 voynu;voynu;c:\windows\System32\drivers\hdftsi.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
S2 TermServices;Remote Desktop Services;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
termfsc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56343
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-conhost - c:\users\Nick\AppData\Roaming\Microsoft\conhost.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
Notify-mujiano - c:\windows\system32\config\systemprofile\AppData\Local\mujiano.dll
AddRemove-InfraRecorder - c:\program files\InfraRecorder\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-20 18:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(232)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Completion time: 2011-08-20 18:59:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-20 22:59
.
Pre-Run: 81,714,511,872 bytes free
Post-Run: 82,254,057,472 bytes free
.
- - End Of File - - 6F1AF6BEDFB75991F0F35718302AEEF3
 
I keep getting a blue screen telling me there is a problem with my computer and it is preparing a data dump, or something like that. It then restarts my computer.
 
Please run this through the VIRScan for identification:

Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

    Code:
    c:\windows\system32\user32.dll
    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.
==================================
I've got to find out what we're working with. If it's one of the file infectors like Ramnit, Virut or the Sality family, we can't clean that.
==================================
You do have a rootkit: Please run this:
Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    [o] Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    [o] Found non-standard or infected MBR.
    [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Paste this log to your next message.
===================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *user32.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===================================
I'm preparing some script for you to run through Combofix.
 
Please go ahead and do what I asked in my previous post. The results will make a difference in what we do.
 
VirSCAN.org Scanned Report :
Scanned time : 2011/09/01 03:13:41 (CST)
Scanner results: Scanners did not find malware!
File Name : user32.dll
File Size : 627712 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 75510147b94598407666f4802797c75a
SHA1 : 4c3a421fb6c890a81366fc8b0ba33630bb1ce896
Online report : http://r.virscan.org/e99c00c3b5c63a476f34ea1da8f645dd

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.3 20110901000251 2011-09-01 0.29 -
AhnLab V3 2011.08.31.00 2011.08.31 2011-08-31 1.55 -
AntiVir 8.2.6.50 7.11.14.60 2011-08-31 0.28 -
Antiy 2.0.18 20110804.11725727 2011-08-04 0.12 -
Arcavir 2011 201107140423 2011-07-14 2.27 -
Authentium 5.1.1 201108311452 2011-08-31 2.61 -
AVAST! 4.7.4 110831-0 2011-08-31 0.05 -
AVG 8.5.850 271.1.1/3868 2011-08-31 2.57 -
BitDefender 7.90123.8996735 7.38862 2011-09-01 4.40 -
ClamAV 0.97.1 13518 2011-08-31 0.01 -
Comodo 5.1 9945 2011-08-31 1.76 -
CP Secure 1.3.0.5 2011.08.31 2011-08-31 0.10 -
Dr.Web 5.0.2.3300 2011.09.01 2011-09-01 14.41 -
F-Prot 4.6.2.117 20110831 2011-08-31 1.81 -
F-Secure 7.02.73807 2011.08.31.05 2011-08-31 11.40 -
Fortinet 4.2.257 14.81 2011-08-31 0.10 -
GData 22.1855 20110901 2011-09-01 0.11 -
ViRobot 20110831 2011.08.31 2011-08-31 0.34 -
Ikarus T3.1.32.20.0 2011.08.31.79236 2011-08-31 4.74 -
JiangMin 13.0.900 2011.08.31 2011-08-31 1.54 -
Kaspersky 5.5.10 2011.08.31 2011-08-31 0.12 -
KingSoft 2009.2.5.15 2011.8.31.18 2011-08-31 0.82 -
McAfee 5400.1158 6455 2011-08-31 9.69 -
Microsoft 1.7604 2011.08.31 2011-08-31 3.35 -
NOD32 3.0.21 6423 2011-08-30 0.00 -
Norman 6.07.10 6.07.00 2011-08-31 10.01 -
Panda 9.05.01 2011.08.31 2011-08-31 2.59 -
Trend Micro 9.200-1012 8.360.11 2011-08-17 0.03 -
Quick Heal 11.00 2011.08.31 2011-08-31 1.10 -
Rising 20.0 23.73.01.03 2011-08-30 2.59 -
Sophos 3.22.0 4.68 2011-09-01 3.88 -
Sunbelt 3.9.2500.2 10328 2011-08-31 0.66 -
Symantec 1.3.0.24 20110831.002 2011-08-31 0.06 -
nProtect 20110831.02 12553780 2011-08-31 1.10 -
The Hacker 6.7.0.1 v00287 2011-08-31 0.48 -
VBA32 3.12.16.4 20110831.0853 2011-08-31 4.24 -
VirusBuster 5.3.0.4 14.0.195.0/60194072011-08-31 0.00 -


--------------------

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: INSYDE
System Manufacturer: TOSHIBA
System Product Name: Satellite L305
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 143):
0x81E0C000 \SystemRoot\system32\ntkrnlpa.exe
0x821C6000 \SystemRoot\system32\hal.dll
0x8668F000 \SystemRoot\system32\kdcom.dll
0x8040A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047A000 \SystemRoot\system32\PSHED.dll
0x8048B000 \SystemRoot\system32\BOOTVID.dll
0x80493000 \SystemRoot\system32\CLFS.SYS
0x804D4000 \SystemRoot\system32\CI.dll
0x80608000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80684000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80691000 \SystemRoot\system32\drivers\acpi.sys
0x806D7000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E0000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E8000 \SystemRoot\system32\drivers\pci.sys
0x8070F000 \SystemRoot\System32\drivers\partmgr.sys
0x8071E000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80721000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8072B000 \SystemRoot\system32\drivers\volmgr.sys
0x8073A000 \SystemRoot\System32\drivers\volmgrx.sys
0x80784000 \SystemRoot\System32\drivers\mountmgr.sys
0x80794000 \SystemRoot\system32\DRIVERS\pciide.sys
0x8079B000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x82406000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x824D4000 \SystemRoot\system32\drivers\atapi.sys
0x824DC000 \SystemRoot\system32\drivers\ataport.SYS
0x824FA000 \SystemRoot\system32\drivers\msahci.sys
0x82504000 \SystemRoot\system32\drivers\fltmgr.sys
0x82536000 \SystemRoot\system32\drivers\fileinfo.sys
0x82546000 \SystemRoot\system32\DRIVERS\Lbd.sys
0x82555000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8255E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82604000 \SystemRoot\system32\drivers\ndis.sys
0x8270F000 \SystemRoot\system32\drivers\msrpc.sys
0x8273A000 \SystemRoot\system32\drivers\NETIO.SYS
0x87807000 \SystemRoot\System32\drivers\tcpip.sys
0x878F1000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x87A0A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87B1A000 \SystemRoot\system32\drivers\volsnap.sys
0x87B53000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x87B58000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
0x87B9B000 \SystemRoot\System32\Drivers\spldr.sys
0x87BA3000 \SystemRoot\System32\Drivers\mup.sys
0x87BB2000 \SystemRoot\System32\drivers\ecache.sys
0x87BD9000 \SystemRoot\system32\drivers\disk.sys
0x8790C000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87BEA000 \SystemRoot\system32\drivers\crcdisk.sys
0x82775000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x87A00000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x82780000 \SystemRoot\system32\DRIVERS\FwLnk.sys
0x82788000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x879FB000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8B60A000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8BCEE000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8BD8E000 \SystemRoot\System32\drivers\watchdog.sys
0x8BD9A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8BDA5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8BDE3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8BE06000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8BE93000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8BED4000 \SystemRoot\system32\DRIVERS\athr.sys
0x8BFBB000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8BFCE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x82797000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8BFD9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8BFDB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8BFE6000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x827C7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x825CF000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x807A9000 \SystemRoot\system32\DRIVERS\storport.sys
0x8BFF0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x827DF000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BDF2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x805B4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x807EA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x805D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x805EB000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C20A000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8C21A000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C21C000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C246000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C250000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C25D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C292000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C400000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8C2A3000 \SystemRoot\system32\drivers\portcls.sys
0x8C2D0000 \SystemRoot\system32\drivers\drmk.sys
0x8C80F000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8C92B000 \SystemRoot\system32\drivers\modem.sys
0x8C938000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8C941000 \SystemRoot\System32\Drivers\Null.SYS
0x8C948000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C94F000 \SystemRoot\System32\drivers\vga.sys
0x8C95B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8C97C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8C984000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C98C000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C997000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C9A5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8C9AE000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8C9C4000 \SystemRoot\system32\DRIVERS\smb.sys
0x8C2F5000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8C327000 \SystemRoot\system32\drivers\afd.sys
0x8C9D8000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8C9EE000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
0x8C800000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8C36F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8C9F3000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8C382000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8C3BE000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8C3C8000 \SystemRoot\System32\Drivers\dfsc.sys
0x8C3DF000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0x8CA08000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8CA2F000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8CA43000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8CA7E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8CA8B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x94A60000 \SystemRoot\System32\win32k.sys
0x8CB59000 \SystemRoot\System32\drivers\Dxapi.sys
0x8CB63000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94C80000 \SystemRoot\System32\TSDDD.dll
0x94CA0000 \SystemRoot\System32\cdd.dll
0x8CB72000 \SystemRoot\system32\drivers\luafv.sys
0x8CB8D000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x8CBA4000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8CBB4000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8CBDE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8CBE8000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8792D000 \SystemRoot\system32\drivers\HTTP.sys
0x8799A000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x879B7000 \SystemRoot\system32\DRIVERS\bowser.sys
0x879D0000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAC205000 \SystemRoot\system32\drivers\mrxdav.sys
0xAC226000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAC245000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAC27E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAC296000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAC2BE000 \SystemRoot\System32\DRIVERS\srv.sys
0xAC30D000 \SystemRoot\system32\drivers\peauth.sys
0xAC3EB000 \SystemRoot\System32\Drivers\secdrv.SYS
0x8C3F3000 \SystemRoot\System32\drivers\tcpipreg.sys
0xACA0F000 \SystemRoot\system32\drivers\spsys.sys
0xACABF000 \??\C:\Windows\system32\drivers\mbam.sys
0x778F0000 \Windows\System32\ntdll.dll

Processes (total 85):
0 System Idle Process
4 System
460 C:\Windows\System32\smss.exe
544 csrss.exe
588 C:\Windows\System32\wininit.exe
596 csrss.exe
624 C:\Windows\System32\winlogon.exe
676 C:\Windows\System32\services.exe
688 C:\Windows\System32\lsass.exe
696 C:\Windows\System32\lsm.exe
852 C:\Windows\System32\svchost.exe
908 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
952 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1112 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1208 C:\Windows\System32\audiodg.exe
1248 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\SLsvc.exe
1300 C:\Windows\System32\svchost.exe
1436 C:\Windows\System32\svchost.exe
1556 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
1568 C:\Windows\System32\wlanext.exe
1692 C:\Windows\System32\spoolsv.exe
1716 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1728 C:\Windows\System32\svchost.exe
1884 C:\Windows\System32\agrsmsvc.exe
1928 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1944 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
1996 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
312 C:\Program Files\Common Files\Motive\McciCMService.exe
328 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
512 C:\Windows\System32\svchost.exe
524 C:\Windows\System32\rundll32.exe
1160 C:\Windows\System32\svchost.exe
1416 C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
1400 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
2076 C:\Windows\System32\TODDSrv.exe
2100 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
2124 C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
2332 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2384 C:\Windows\System32\svchost.exe
2436 C:\Windows\System32\SearchIndexer.exe
2540 C:\Windows\System32\taskeng.exe
2556 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2572 C:\Windows\System32\dwm.exe
2612 C:\Windows\explorer.exe
2848 C:\Windows\System32\hkcmd.exe
2856 C:\Windows\System32\igfxpers.exe
2864 C:\Windows\RtHDVCpl.exe
2872 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2912 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3004 C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
3024 C:\Program Files\Toshiba\SmoothView\SmoothView.exe
3100 C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
3132 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
3220 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3244 C:\Program Files\Citrix\ICA Client\concentr.exe
3252 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
3308 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3316 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3336 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
3452 C:\Windows\System32\taskeng.exe
3776 C:\Windows\System32\igfxsrvc.exe
3860 unsecapp.exe
3988 WmiPrvSE.exe
2240 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
1076 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
3216 C:\Windows\System32\igfxext.exe
3128 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
3568 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2948 C:\Program Files\Windows Media Player\wmpnscfg.exe
232 C:\Program Files\Windows Media Player\wmpnetwk.exe
2692 C:\Windows\System32\svchost.exe
3924 C:\Windows\System32\Macromed\Flash\FlashUtil10t_ActiveX.exe
4232 C:\Program Files\Internet Explorer\iexplore.exe
4304 C:\Program Files\Internet Explorer\iexplore.exe
5928 C:\Windows\System32\notepad.exe
4680 taskeng.exe
840 C:\Windows\System32\SearchProtocolHost.exe
5792 C:\Windows\System32\SearchFilterHost.exe
5604 C:\Windows\System32\dllhost.exe
3600 dllhost.exe
5136 dllhost.exe
5496 C:\Users\Nick\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVS-26VAT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61


Done!


----------------------------


SystemLook 30.07.11 by jpshortstuff
Log created at 16:16 on 31/08/2011 by Nick
Administrator - Elevation successful

========== filefind ==========

Searching for "*user32.dll"
C:\Windows\ERDNT\cache\user32.dll --a---- 627712 bytes [22:52 20/08/2011] [06:28 11/04/2009] 75510147B94598407666F4802797C75A
C:\Windows\System32\user32.dll --a---- 627712 bytes [23:53 17/09/2009] [06:28 11/04/2009] 75510147B94598407666F4802797C75A
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll --a---- 627200 bytes [02:34 21/01/2008] [02:34 21/01/2008] B974D9F06DC7D1908E825DC201681269
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll --a---- 627712 bytes [23:53 17/09/2009] [06:28 11/04/2009] 75510147B94598407666F4802797C75A

-= EOF =-
 
We need to finish this up- normally I would have closed the thread after 5 days of no reply, but I'm behind on doing that. If you're using the system during these time gaps, then the logs I'm working from will be different.

1. Please update Combofix and run a new scan.

2. Please update the Eset Online Virus scan and run a new scan.

3. Please give me a report on how/what the system is doing-or not doing-at this point

Logs in next reply as soon as possible.
 
ComboFix 11-09-01.03 - Nick 09/01/2011 22:11:01.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.910 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\bwUnin-7.2.0.157-8876480SL.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Nick\AppData\Local\temp
2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Mandy\AppData\Local\temp
2011-09-02 02:24 . 2011-09-02 02:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
2011-08-14 17:20 . 2011-08-14 17:20 -------- d-----w- c:\program files\ESET
2011-08-13 20:38 . 2011-08-13 20:38 -------- d-----w- c:\users\Nick\AppData\Roaming\Avira
2011-08-13 20:23 . 2011-07-21 16:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-13 20:23 . 2011-07-21 16:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\programdata\Avira
2011-08-13 20:23 . 2011-08-13 20:23 -------- d-----w- c:\program files\Avira
2011-08-13 01:23 . 2011-08-13 01:29 -------- d-----w- C:\HijackThis
2011-08-10 01:51 . 2011-08-10 01:51 -------- d-----w- C:\Hostsxpert
2011-08-10 01:37 . 2011-06-17 16:03 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 01:37 . 2011-07-06 15:31 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 01:36 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-08-10 01:35 . 2011-06-20 08:54 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 01:35 . 2011-06-20 08:54 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 01:34 . 2011-06-17 20:13 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-09 03:10 . 2011-08-09 03:10 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2011-08-09 03:09 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-09 03:09 . 2011-08-09 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-08-09 03:09 . 2011-08-11 14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-09 03:09 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-08 20:54 . 2011-08-08 20:54 -------- d-----w- c:\windows\Sun
2011-08-06 00:05 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R0 ceangn;ceangn;c:\windows\System32\drivers\qdwqvn.sys [x]
R0 voynu;voynu;c:\windows\System32\drivers\hdftsi.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-08-15 2151640]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 88176]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
termfsc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56343
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Ad blocker: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} - %profile%\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-01 22:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-09-01 22:31:40
ComboFix-quarantined-files.txt 2011-09-02 02:31
ComboFix2.txt 2011-08-20 22:59
.
Pre-Run: 82,966,261,760 bytes free
Post-Run: 82,950,627,328 bytes free
.
- - End Of File - - DE423F9BD900938BA0C63D14F4A40DEE

------------------------------
ESET:

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\corp0.gif a variant of Java/TrojanDownloader.OpenStream.NAZ trojan

---------------------------------


There doesn't seem to be a lot of symptoms with the computer right now, except for one. When we close the laptop, and log back on later, the computer will log on, and then it will almost imediately crash, giving us a blue screen, then restarting.
 
Sorry- my face is red! The thread turned the page and I didn't!

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
c:\windows\CouponPrinter.ocx
c:\windows\System32\drivers\qdwqvn.sys
c:\windows\System32\drivers\hdftsi.sys
Folder::
c:\users\Nick\AppData\Local\temp
c:\users\Mandy\AppData\Local\temp
c:\users\Default\AppData\Local\temp
Extra::
Firefox::
Firefox-: - Profile - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
Firefox-: prefs.jS - Search.DefaultURL
Firefox-: prefs.js - Startup.Homepage
Registry::
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h????????????????? .
Driver::
ceangn
voynu
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
For Eset: Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
====================================
I note that you are using MSIE: Internet Explorer v9.00 (9.00.8112.16421) Have you recently upgraded to IEv9?[/b] It's pretty new. Have any of these problems started sine you installed this version?
=====================================
Reset your browser proxies
  • For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
  • For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click Ok to close the Local Area Network (LAN) Settings window.
    o Click Ok to close the Internet Options window.
===================================
Some of the errors in the Event Viewer indicate that some Services might not have their Dependencies running> if the problem continues, I'll have you check for errors that occur when you get the BSOD.
 
ComboFix 11-09-13.04 - Nick 09/13/2011 23:42:24.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.978 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe"
"c:\windows\CouponPrinter.ocx"
"c:\windows\System32\drivers\hdftsi.sys"
"c:\windows\System32\drivers\qdwqvn.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Default\AppData\Local\temp
c:\users\Mandy\AppData\Local\temp
c:\users\Nick\AppData\Local\temp
c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.dll
c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.xpt
c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npMozCouponPrinter.dll
c:\users\Nick\AppData\Local\temp\CR_B29C0.tmp\SETUP_PATCH.PACKED.7Z
c:\users\Nick\AppData\Local\temp\HP\AtStatus\hpinksts8811lm.log
c:\users\Nick\AppData\Local\temp\Low\_rf.log
c:\users\Nick\AppData\Local\temp\Low\Cab4FE4.tmp
c:\users\Nick\AppData\Local\temp\Low\cpnprt2.cid
c:\users\Nick\AppData\Local\temp\Low\Tar4FE5.tmp
c:\users\Nick\AppData\Local\temp\outlook logging\firstrun.log
c:\users\Nick\AppData\Local\temp\sv3fl.tmp\sv3hi.tmp
c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\file_id.diz
c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\readme.txt
c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\setup.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ceangn
-------\Service_voynu
.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 03:58 . 2011-09-14 04:01 -------- d-----w- c:\users\Nick\AppData\Local\Temp
2011-09-06 01:30 . 2011-09-06 01:30 -------- d-----w- c:\programdata\RoboForm
2011-09-06 01:29 . 2011-09-06 01:29 -------- d-----w- c:\program files\Siber Systems
2011-09-05 02:23 . 2007-02-19 03:09 122552 ----a-w- c:\windows\system32\ieuihandler.dll
2011-09-05 02:23 . 2011-09-05 02:23 -------- d-----w- c:\program files\IE AutoFill
2011-08-23 17:06 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-22 02:54 . 2011-08-10 07:19 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-10 07:19 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-10 07:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-21 16:15 . 2011-08-13 20:23 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-21 16:15 . 2011-08-13 20:23 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-07-13 03:39 . 2011-08-06 00:05 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
2011-07-06 23:52 . 2011-08-09 03:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-08-09 03:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 15:31 . 2011-08-10 01:37 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-20 08:54 . 2011-08-10 01:35 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54 . 2011-08-10 01:35 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-17 20:13 . 2011-08-10 01:34 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 16:03 . 2011-08-10 01:37 375808 ----a-w- c:\windows\system32\winsrv.dll
2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-06 107000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
termfsc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
.
2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{3AE521FE-D4E4-4404-AD15-A8414FFC467B} - {3AE521FE-D4E4-4404-AD15-A8414FFC467B} - c:\program files\IE AutoFill\ieautofill.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56343
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 00:00
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RtHDVCpl.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\windows\system32\igfxext.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-09-14 00:12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 04:12
ComboFix2.txt 2011-09-02 02:31
ComboFix3.txt 2011-08-20 22:59
.
Pre-Run: 83,176,636,416 bytes free
Post-Run: 83,010,514,944 bytes free
.
- - End Of File - - 3CD70561F68228AFCC3E6A7BA9867B99

-------------------------------------------

All processes killed
========== FILES ==========
File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mandy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nick
->Temp folder emptied: 516335 bytes
->Temporary Internet Files folder emptied: 277383864 bytes
->Java cache emptied: 1160504 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 16110 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3428 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 194611 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 266.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09152011_210400

Files moved on Reboot...

Registry entries deleted on Reboot...

-----------------------------------------------------

Couldn't uncheck "use a proxy server for LAN" because it was never checked.
 
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
======================================
This is recurring Exploit. Please check the information on this Microsoft Site.
If you do not have this updater on the system, please get it.
====================================
About the reboot: Force it if you have to so you can check the time it happens on the computer clock. Errors in the Event Viewer are time coded, so you will look for any error in either System or Apps that corresponds to the reboot:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe to run.

  • Select log to query, select
  • Application
  • System

    Under Select type to list, select:
  • Critical (Vista only)
  • Error

    Click the radio button for Number of events
  • Type 10 in the 1 to 20 box
  • Then click the Run button.
  • Notepad will open with the output log.

    Load the log
  • In Notepad, click Edit> Select all
  • Then press Edit > Copy
  • Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)
 
All processes killed
========== FILES ==========
File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mandy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nick
->Temp folder emptied: 20163666 bytes
->Temporary Internet Files folder emptied: 210340738 bytes
->Java cache emptied: 437336 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 6819 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21713 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33237 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 711201 bytes

Total Files Cleaned = 221.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 10032011_210546

Files moved on Reboot...

Registry entries deleted on Reboot...


------------------------------

I believe the last BSOD was 10/03/11 @ 2:17

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 03/10/2011 10:08:06 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 04/10/2011 1:44:30 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
Type: Error Category: 0
Event: 8210 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x800423f4).

Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
Type: Error Category: 0
Event: 16387 Source: SPP
Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

Log: 'Application' Date/Time: 03/10/2011 9:07:41 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 03/10/2011 2:30:56 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application iexplore.exe, version 9.0.8112.16421, time stamp 0x4d76255d, faulting module tbCoup.dll, version 6.6.0.19, time stamp 0x4e5df640, exception code 0xc0000005, fault offset 0x002d1c28, process id 0xea0, application start time 0x01cc81d830fd00e0.

Log: 'Application' Date/Time: 03/10/2011 2:17:15 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
Type: Error Category: 0
Event: 8210 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x800423f4).

Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
Type: Error Category: 0
Event: 16387 Source: SPP
Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 25/08/2011 1:59:12 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 22/08/2011 2:48:57 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 13/08/2011 6:45:57 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 13/08/2011 12:03:04 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 09/08/2011 2:48:38 AM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 24/06/2011 7:36:43 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 19/06/2011 9:46:42 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 15/06/2011 4:10:38 AM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 24/03/2011 11:59:15 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Log: 'System' Date/Time: 10/03/2011 6:54:04 PM
Type: Critical Category: 0
Event: 41 Source: Microsoft-Windows-Kernel-Power
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 04/10/2011 1:05:47 AM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Log: 'System' Date/Time: 04/10/2011 12:49:35 AM
Type: Error Category: 0
Event: 10000 Source: Microsoft-Windows-DistributedCOM
Unable to start a DCOM Server: {D21ED08F-6B88-45EC-A71C-6BD453B561D0}. The error: "740" Happened while starting this command: "C:\Windows\system32\Adobe\Director\SwDnld.exe" -Embedding

Log: 'System' Date/Time: 03/10/2011 9:09:19 PM
Type: Error Category: 0
Event: 6161 Source: Microsoft-Windows-PrintSpooler
The document CouponNetwork Coupon, owned by Nick, failed to print on printer HP Deskjet 1000 J110 series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 3066592. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\NICK-PC. Win32 error code returned by the print processor: 6. The handle is invalid.

Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 03/10/2011 9:06:41 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 5:05:09 PM on 10/3/2011 was unexpected.

Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.
 
Okay, as you probably know, these are Services related to the Logitech Webcam:

If you are still using this webcam:
Uninstall the software you have now.
Download the latest version.
Do NOT put the entries on the Startup Menu
Make sure the services are set to Manual, not Automatic:

Per bleepingcomputer:

LVSrvLauncher- there is no know description for this Service.

LVPrcSrv
Service Display Name: Logitech Process Monitor
Part of the Logitech QuickCam software and used for the Video Effects options. This topic states that disabling this process has no affect on the webcam other than not being able to use the Video Effects feature
--------------------
Click on Start> Run> type in services.msc[/b[> enter> find each of the 2 Services> double click on each> set Startup type to Manual> Stop the Service.
==============================
If you do not use this any longer:
Uninstall in Add/Remove Programs in the Control Panel
Use Windows Explorer t access Local Drive> Programs> do a right click> Delete on each Logitech folder.
Check and make sure no entries for it are on the Startup menu.

Both of these files show missing in the HijackThis log you ran, but that does not always mean the file is actually missing.
================================
How is the system doing otherwise?
 
Back