also @ TechSpot: Updated Microsoft EULA prohibits class action lawsuits

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] Can't open .exe files and Google search results redirected

Discussion in 'Virus and Malware Removal' started by notoriousnick, Aug 11, 2011.

Page 2 of 2

  1. Bobbye Helper on the Fringe

    Sorry- my face is red! The thread turned the page and I didn't!

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
c:\windows\CouponPrinter.ocx
c:\windows\System32\drivers\qdwqvn.sys
c:\windows\System32\drivers\hdftsi.sys
Folder::
c:\users\Nick\AppData\Local\temp
c:\users\Mandy\AppData\Local\temp
c:\users\Default\AppData\Local\temp
Extra::
Firefox::
Firefox-: - Profile - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
Firefox-: prefs.jS - Search.DefaultURL
Firefox-: prefs.js - Startup.Homepage
Registry::
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h????????????????? .
Driver::
ceangn
voynu
FCopy::
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    For Eset: Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================
    I note that you are using MSIE: Internet Explorer v9.00 (9.00.8112.16421) Have you recently upgraded to IEv9?[/b] It's pretty new. Have any of these problems started sine you installed this version?
    =====================================
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ===================================
    Some of the errors in the Event Viewer indicate that some Services might not have their Dependencies running> if the problem continues, I'll have you check for errors that occur when you get the BSOD.
    Bobbye, Sep 10, 2011
    #21

  2. notoriousnick Newcomer, in training

    ComboFix 11-09-13.04 - Nick 09/13/2011 23:42:24.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1915.978 [GMT -4:00]
    Running from: c:\users\Nick\Desktop\ComboFix.exe
    Command switches used :: c:\users\Nick\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    FILE ::
    "c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe"
    "c:\windows\CouponPrinter.ocx"
    "c:\windows\System32\drivers\hdftsi.sys"
    "c:\windows\System32\drivers\qdwqvn.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Default\AppData\Local\temp
    c:\users\Mandy\AppData\Local\temp
    c:\users\Nick\AppData\Local\temp
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.dll
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npCouponPrinter.xpt
    c:\users\Nick\AppData\Local\temp\_ir_sf_temp_0\npMozCouponPrinter.dll
    c:\users\Nick\AppData\Local\temp\CR_B29C0.tmp\SETUP_PATCH.PACKED.7Z
    c:\users\Nick\AppData\Local\temp\HP\AtStatus\hpinksts8811lm.log
    c:\users\Nick\AppData\Local\temp\Low\_rf.log
    c:\users\Nick\AppData\Local\temp\Low\Cab4FE4.tmp
    c:\users\Nick\AppData\Local\temp\Low\cpnprt2.cid
    c:\users\Nick\AppData\Local\temp\Low\Tar4FE5.tmp
    c:\users\Nick\AppData\Local\temp\outlook logging\firstrun.log
    c:\users\Nick\AppData\Local\temp\sv3fl.tmp\sv3hi.tmp
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\file_id.diz
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\readme.txt
    c:\users\Nick\AppData\Local\temp\Temp1_ieautofill.zip\setup.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ceangn
    -------\Service_voynu
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-14 03:58 . 2011-09-14 04:01 -------- d-----w- c:\users\Nick\AppData\Local\Temp
    2011-09-06 01:30 . 2011-09-06 01:30 -------- d-----w- c:\programdata\RoboForm
    2011-09-06 01:29 . 2011-09-06 01:29 -------- d-----w- c:\program files\Siber Systems
    2011-09-05 02:23 . 2007-02-19 03:09 122552 ----a-w- c:\windows\system32\ieuihandler.dll
    2011-09-05 02:23 . 2011-09-05 02:23 -------- d-----w- c:\program files\IE AutoFill
    2011-08-23 17:06 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-20 21:48 . 2011-08-20 21:48 -------- d-----w- C:\_OTM
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-22 02:54 . 2011-08-10 07:19 1797632 ----a-w- c:\windows\system32\jscript9.dll
    2011-07-22 02:48 . 2011-08-10 07:19 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-07-22 02:44 . 2011-08-10 07:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-21 16:15 . 2011-08-13 20:23 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-21 16:15 . 2011-08-13 20:23 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-20 20:08 . 2011-07-20 20:08 489672 ----a-w- c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
    2011-07-13 03:39 . 2011-08-06 00:05 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{716400D7-366A-4FB4-8F93-8C2ADEC73639}\mpengine.dll
    2011-07-06 23:52 . 2011-08-09 03:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52 . 2011-08-09 03:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 15:31 . 2011-08-10 01:37 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-30 07:32 . 2010-06-18 02:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-22 00:07 . 2011-06-22 00:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-20 08:54 . 2011-08-10 01:35 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-06-20 08:54 . 2011-08-10 01:35 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-06-20 01:22 . 2011-06-20 01:22 161792 ----a-w- c:\windows\system32\msls31.dll
    2011-06-20 01:22 . 2011-06-20 01:22 86528 ----a-w- c:\windows\system32\iesysprep.dll
    2011-06-20 01:22 . 2011-06-20 01:22 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
    2011-06-20 01:22 . 2011-06-20 01:22 48640 ----a-w- c:\windows\system32\mshtmler.dll
    2011-06-20 01:22 . 2011-06-20 01:22 63488 ----a-w- c:\windows\system32\tdc.ocx
    2011-06-20 01:22 . 2011-06-20 01:22 367104 ----a-w- c:\windows\system32\html.iec
    2011-06-20 01:22 . 2011-06-20 01:22 74752 ----a-w- c:\windows\system32\iesetup.dll
    2011-06-20 01:22 . 2011-06-20 01:22 23552 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-20 01:22 . 2011-06-20 01:22 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-20 01:22 . 2011-06-20 01:22 152064 ----a-w- c:\windows\system32\wextract.exe
    2011-06-20 01:22 . 2011-06-20 01:22 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-06-20 01:22 . 2011-06-20 01:22 150528 ----a-w- c:\windows\system32\iexpress.exe
    2011-06-20 01:22 . 2011-06-20 01:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-06-20 01:22 . 2011-06-20 01:22 11776 ----a-w- c:\windows\system32\mshta.exe
    2011-06-20 01:22 . 2011-06-20 01:22 101888 ----a-w- c:\windows\system32\admparse.dll
    2011-06-20 01:22 . 2011-06-20 01:22 35840 ----a-w- c:\windows\system32\imgutil.dll
    2011-06-20 01:22 . 2011-06-20 01:22 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
    2011-06-17 20:13 . 2011-08-10 01:34 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-06-17 16:03 . 2011-08-10 01:37 375808 ----a-w- c:\windows\system32\winsrv.dll
    2009-09-13 03:05 . 2009-09-13 03:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 03:06 . 2009-09-13 03:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 03:06 . 2009-09-13 03:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 03:06 . 2009-09-13 03:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 03:06 . 2009-09-13 03:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 03:07 . 2009-09-13 03:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 03:06 . 2009-09-13 03:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 03:06 . 2009-09-13 03:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-08-14 17:33 . 2009-08-14 17:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 03:06 . 2009-09-13 03:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-06 107000]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-19 202256]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "HideSCAHealth"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 135664]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-12 64288]
    S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
    S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2011-08-10 94880]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    termfsc REG_MULTI_SZ TermServices
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-08 03:45]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000Core.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-71685524-1126486158-3962871672-1000UA.job
    - c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-10 18:18]
    .
    2011-08-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-71685524-1126486158-3962871672-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
    IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: {{3AE521FE-D4E4-4404-AD15-A8414FFC467B} - {3AE521FE-D4E4-4404-AD15-A8414FFC467B} - c:\program files\IE AutoFill\ieautofill.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\6633dest.default\
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|google.com
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 56343
    FF - prefs.js: network.proxy.type - 1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-14 00:00
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\Toshiba\ConfigFree\NDSTray.exe
    c:\program files\Windows Media Player\wmpnscfg.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\windows\system32\igfxext.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-14 00:12:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-14 04:12
    ComboFix2.txt 2011-09-02 02:31
    ComboFix3.txt 2011-08-20 22:59
    .
    Pre-Run: 83,176,636,416 bytes free
    Post-Run: 83,010,514,944 bytes free
    .
    - - End Of File - - 3CD70561F68228AFCC3E6A7BA9867B99

    -------------------------------------------

    All processes killed
    ========== FILES ==========
    File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Mandy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Nick
    ->Temp folder emptied: 516335 bytes
    ->Temporary Internet Files folder emptied: 277383864 bytes
    ->Java cache emptied: 1160504 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 16110 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3428 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 194611 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 266.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09152011_210400

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    -----------------------------------------------------

    Couldn't uncheck "use a proxy server for LAN" because it was never checked.
    notoriousnick, Sep 15, 2011
    #22

  3. Bobbye Helper on the Fringe

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    This is recurring Exploit. Please check the information on this Microsoft Site.
    If you do not have this updater on the system, please get it.
    ====================================
    About the reboot: Force it if you have to so you can check the time it happens on the computer clock. Errors in the Event Viewer are time coded, so you will look for any error in either System or Apps that corresponds to the reboot:

    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 10 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.

    (Courtesy rev-Olie)
    Bobbye, Sep 18, 2011
    #23

  4. notoriousnick Newcomer, in training

    All processes killed
    ========== FILES ==========
    File/Folder C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV \corp0.gif not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Mandy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Nick
    ->Temp folder emptied: 20163666 bytes
    ->Temporary Internet Files folder emptied: 210340738 bytes
    ->Java cache emptied: 437336 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 6819 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 21713 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33237 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 711201 bytes

    Total Files Cleaned = 221.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 10032011_210546

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    ------------------------------

    I believe the last BSOD was 10/03/11 @ 2:17

    Vino's Event Viewer v01c run on Windows Vista in English
    Report run at 03/10/2011 10:08:06 PM

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 04/10/2011 1:44:30 AM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 8210 Source: System Restore
    The scheduled restore point could not be created. Additional information: (0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 8193 Source: System Restore
    Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 10:48:43 PM
    Type: Error Category: 0
    Event: 16387 Source: SPP
    Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

    Log: 'Application' Date/Time: 03/10/2011 9:07:41 PM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 2:30:56 PM
    Type: Error Category: 100
    Event: 1000 Source: Application Error
    Faulting application iexplore.exe, version 9.0.8112.16421, time stamp 0x4d76255d, faulting module tbCoup.dll, version 6.6.0.19, time stamp 0x4e5df640, exception code 0xc0000005, fault offset 0x002d1c28, process id 0xea0, application start time 0x01cc81d830fd00e0.

    Log: 'Application' Date/Time: 03/10/2011 2:17:15 PM
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 8210 Source: System Restore
    The scheduled restore point could not be created. Additional information: (0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 8193 Source: System Restore
    Failed to create restore point on volume (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Descripton = Scheduled Checkpoint; Hr = 0x800423f4).

    Log: 'Application' Date/Time: 03/10/2011 4:27:09 AM
    Type: Error Category: 0
    Event: 16387 Source: SPP
    Shadow copy creation failed because of error reported by ASR Writer. More info: The parameter is incorrect. (0x80070057).

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 25/08/2011 1:59:12 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 22/08/2011 2:48:57 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 13/08/2011 6:45:57 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 13/08/2011 12:03:04 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 09/08/2011 2:48:38 AM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 24/06/2011 7:36:43 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 19/06/2011 9:46:42 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 15/06/2011 4:10:38 AM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 24/03/2011 11:59:15 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    Log: 'System' Date/Time: 10/03/2011 6:54:04 PM
    Type: Critical Category: 0
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 04/10/2011 1:44:31 AM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 04/10/2011 1:05:47 AM
    Type: Error Category: 0
    Event: 7031 Source: Service Control Manager
    The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

    Log: 'System' Date/Time: 04/10/2011 12:49:35 AM
    Type: Error Category: 0
    Event: 10000 Source: Microsoft-Windows-DistributedCOM
    Unable to start a DCOM Server: {D21ED08F-6B88-45EC-A71C-6BD453B561D0}. The error: "740" Happened while starting this command: "C:\Windows\system32\Adobe\Director\SwDnld.exe" -Embedding

    Log: 'System' Date/Time: 03/10/2011 9:09:19 PM
    Type: Error Category: 0
    Event: 6161 Source: Microsoft-Windows-PrintSpooler
    The document CouponNetwork Coupon, owned by Nick, failed to print on printer HP Deskjet 1000 J110 series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 3066592. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\NICK-PC. Win32 error code returned by the print processor: 6. The handle is invalid.

    Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 9:07:42 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 9:06:41 PM
    Type: Error Category: 0
    Event: 6008 Source: EventLog
    The previous system shutdown at 5:05:09 PM on 10/3/2011 was unexpected.

    Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The LVSrvLauncher service failed to start due to the following error: The system cannot find the file specified.

    Log: 'System' Date/Time: 03/10/2011 2:17:16 PM
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The Logitech Process Monitor service failed to start due to the following error: The system cannot find the file specified.
    notoriousnick, Oct 3, 2011
    #24

  5. Bobbye Helper on the Fringe

    Okay, as you probably know, these are Services related to the Logitech Webcam:

    If you are still using this webcam:
    Uninstall the software you have now.
    Download the latest version.
    Do NOT put the entries on the Startup Menu
    Make sure the services are set to Manual, not Automatic:

    Per bleepingcomputer:

    LVSrvLauncher- there is no know description for this Service.

    LVPrcSrv
    Service Display Name: Logitech Process Monitor
    Part of the Logitech QuickCam software and used for the Video Effects options. This topic states that disabling this process has no affect on the webcam other than not being able to use the Video Effects feature
    --------------------
    Click on Start> Run> type in services.msc[/b[> enter> find each of the 2 Services> double click on each> set Startup type to Manual> Stop the Service.
    ==============================
    If you do not use this any longer:
    Uninstall in Add/Remove Programs in the Control Panel
    Use Windows Explorer t access Local Drive> Programs> do a right click> Delete on each Logitech folder.
    Check and make sure no entries for it are on the Startup menu.

    Both of these files show missing in the HijackThis log you ran, but that does not always mean the file is actually missing.
    ================================
    How is the system doing otherwise?
    Bobbye, Oct 6, 2011
    #25
Page 2 of 2