System check request - Removed google redirect but system slow and fan always on

Solved
By hammacher
Jan 12, 2012
  1. I seem to have removed the Google redirect problem from my system by editing my Host file. I removed an extra line that reads ":: 1" and my redirect problem went away. But my CPU usage seems high when the computer is at rest and the cooling fan is always on which uses up battery life quickly. This is markedly different behavior for this computer than before I had the google redirect problem. I followed the 5 step instructions and here are my logs. I very much appreciate any help you can provide me. Thank you.

    Malwarebytes log:
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.11.06

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Evan :: NETBOOK [administrator]

    1/11/2012 6:54:10 PM
    mbam-log-2012-01-11 (18-54-10).txt

    Scan type: Custom scan
    Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
    Objects scanned: 1
    Time elapsed: 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    -------------------------------------

    GMER log:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-12 11:30:50
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
    Running: dl67e973.exe; Driver: C:\Users\Evan\AppData\Local\Temp\fxrdqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8682CF68]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8682D230]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8682D52C]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8682C9D8]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 81A47369 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81A80D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11E3 81A87E98 4 Bytes [68, CF, 82, 86]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11E8 81A87E9D 3 Bytes [D2, 82, 86]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 121B 81A87ED0 4 Bytes [2C, D5, 82, 86]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 81A88324 4 Bytes [D8, C9, 82, 86]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe[1784] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7547FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe[1784] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7547FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe[1784] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7547FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe[1784] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7547FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe[1784] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7547FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys
    Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB59561$\261678897 0 bytes
    File C:\Windows\$NtUninstallKB59561$\261678897\cfg.ini 206 bytes
    File C:\Windows\$NtUninstallKB59561$\261678897\U 0 bytes
    File C:\Windows\$NtUninstallKB59561$\3897946129 0 bytes

    ---- EOF - GMER 1.0.15 ----
    ---------------------------------------------------

    DDS log:
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by Evan at 11:56:23 on 2012-01-12
    Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1013.169 [GMT -7:00]
    .
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe
    C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
    C:\windows\system32\taskhost.exe
    C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
    C:\windows\system32\Dwm.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\Explorer.EXE
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\TOSHIBA\TECO\TecoService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\windows\system32\igfxsrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TECO\Teco.exe
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
    C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\windows\system32\igfxext.exe
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\windows\System32\svchost.exe -k secsvcs
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\windows\system32\rundll32.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\windows\system32\conhost.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://start.toshiba.com/g/
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: H - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [<NO NAME>]
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
    mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
    mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /FORPCEE3
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
    mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
    mRun: [TWebCamera] "c:\program files\toshiba\toshiba web camera application\TWebCamera.exe" autorun
    mRun: [ToshibaAppPlace] "c:\program files\toshiba\toshiba app place\ToshibaAppPlace.exe"
    mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TOBuActivation.exe" UNATTENDED
    mRun: [TosVolRegulator] c:\program files\toshiba\tosvolregulator\TosVolRegulator.exe
    mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
    mRun: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    mRun: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    TCP: Interfaces\{0E28DF56-F86F-418B-83B5-069A24F29196} : DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-1-11 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-1-11 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-1-11 656320]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-10-20 821664]
    R2 IconMan_R;IconMan_R;c:\program files\realtek\realtek usb 2.0 card reader\RIconMan.exe [2011-12-6 1809920]
    R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.6.22\SymcPCCULaunchSvc.exe [2011-12-6 115056]
    R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.6.22\ccSvcHst.exe [2011-12-6 126392]
    R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2011-12-6 24064]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
    R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\drivers\rtl8192ce.sys [2011-12-6 999016]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-9-14 577384]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-9-14 194408]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-9-14 21864]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-9-14 19304]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-4 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-4 136176]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-12-6 194664]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-12-19 52224]
    .
    =============== Created Last 30 ================
    .
    2012-01-12 17:16:44 0 ----a-w- c:\windows\system32\shoFC3A.tmp
    2012-01-12 01:30:41 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{09dee56e-8103-47c7-b9b3-2c487f38b099}\offreg.dll
    2012-01-12 01:04:49 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-12 01:04:49 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-12 01:04:49 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-12 01:04:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-12 01:04:48 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-12 01:04:48 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-01-12 01:04:47 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-12 01:04:47 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-12 01:04:46 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-12 01:04:46 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-12 00:24:23 28552 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    2012-01-12 00:24:23 28040 ----a-w- c:\windows\system32\mdimon.dll
    2012-01-12 00:21:32 -------- d-----w- c:\program files\common files\L&H
    2012-01-12 00:21:15 -------- d-----w- c:\program files\Microsoft ActiveSync
    2012-01-12 00:20:26 -------- d-----w- c:\windows\SHELLNEW
    2012-01-11 23:50:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-11 23:43:18 -------- d-----w- c:\program files\CCleaner
    2012-01-11 23:38:41 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-11 23:38:10 -------- d-----w- c:\programdata\HitmanPro
    2012-01-11 21:40:52 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{09dee56e-8103-47c7-b9b3-2c487f38b099}\mpengine.dll
    2012-01-11 21:37:54 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2012-01-11 21:37:54 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2012-01-11 21:37:53 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2012-01-11 21:37:53 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
    2012-01-11 21:37:50 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2012-01-11 21:37:50 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2012-01-11 21:37:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2012-01-11 21:22:41 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 21:22:40 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 21:22:28 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 21:22:20 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 18:06:06 -------- d-----w- c:\users\evan\appdata\local\CrashDumps
    2012-01-11 17:58:09 -------- d-----w- c:\users\evan\appdata\roaming\PC Tools
    2012-01-11 17:58:09 -------- d-----w- c:\programdata\PC Tools
    2012-01-11 17:58:09 -------- d-----w- c:\program files\PC Tools Security
    2012-01-11 17:58:09 -------- d-----w- c:\program files\common files\PC Tools
    2012-01-10 04:47:42 -------- d-----w- c:\users\evan\appdata\roaming\Malwarebytes
    2012-01-10 04:47:23 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 04:47:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-05 16:07:44 -------- d-----w- c:\users\evan\appdata\local\Adobe
    2011-12-30 15:43:59 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
    2011-12-30 15:40:07 -------- d-----w- c:\windows\system32\directx
    2011-12-30 15:37:20 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
    2011-12-30 04:42:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-30 02:38:19 -------- d-----w- c:\windows\system32\SPReview
    2011-12-30 02:13:12 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-21 06:07:28 0 ----a-w- c:\windows\system32\sho967A.tmp
    2011-12-21 01:17:04 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-12-21 01:17:03 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-12-21 01:17:02 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-12-21 01:04:00 0 ----a-w- c:\windows\system32\sho1F2C.tmp
    2011-12-19 14:43:58 1019904 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-12-19 14:42:59 854016 ----a-w- c:\windows\system32\dbghelp.dll
    2011-12-19 14:41:59 352768 ----a-w- c:\windows\system32\termmgr.dll
    2011-12-19 14:40:59 196608 ----a-w- c:\windows\system32\wwanconn.dll
    2011-12-19 14:39:58 11264 ----a-w- c:\windows\system32\wshirda.dll
    2011-12-19 14:38:45 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2011-12-19 14:38:45 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-12-18 02:45:49 -------- d-----w- c:\programdata\VirtualizedApplications
    2011-12-18 00:15:40 -------- d-----w- c:\users\evan\appdata\local\SoftGrid Client
    2011-12-18 00:15:36 -------- d-----w- c:\users\evan\appdata\roaming\SoftGrid Client
    2011-12-18 00:13:21 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
    2011-12-18 00:12:52 -------- d-----w- c:\users\evan\appdata\roaming\TP
    2011-12-15 18:02:10 748336 ----a-w- c:\program files\internet explorer\iexplore.exe
    2011-12-15 17:45:27 -------- d-----w- c:\users\evan\appdata\local\Tific
    2011-12-15 17:45:25 -------- d-----w- c:\users\evan\appdata\roaming\Tific
    2011-12-14 21:03:20 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 21:03:12 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 21:02:55 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 21:02:53 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 21:02:51 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 21:02:50 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-14 15:40:12 -------- d-----w- c:\program files\VideoLAN
    .
    ==================== Find3M ====================
    .
    2011-12-30 03:32:36 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-12-11 00:11:15 13 --sh--r- c:\windows\system32\drivers\fbd.sys
    2011-11-15 21:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 11:58:31.20 ===============
    ----------------------------------------------------------------

    DDS Attach:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Starter
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/10/2011 2:17:01 PM
    System Uptime: 1/12/2012 10:17:49 AM (1 hours ago)
    .
    Motherboard: TOSHIBA | | PBU00
    Processor: Intel(R) Atom(TM) CPU N455 @ 1.66GHz | U2E1 | 1667/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 223 GiB total, 194.841 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsld21c3acf
    Device ID: ROOT\LEGACY_MPKSLD21C3ACF\0000
    Manufacturer:
    Name: MpKsld21c3acf
    PNP Device ID: ROOT\LEGACY_MPKSLD21C3ACF\0000
    Service: MpKsld21c3acf
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsld4d09d5d
    Device ID: ROOT\LEGACY_MPKSLD4D09D5D\0000
    Manufacturer:
    Name: MpKsld4d09d5d
    PNP Device ID: ROOT\LEGACY_MPKSLD4D09D5D\0000
    Service: MpKsld4d09d5d
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsle57a2de5
    Device ID: ROOT\LEGACY_MPKSLE57A2DE5\0000
    Manufacturer:
    Name: MpKsle57a2de5
    PNP Device ID: ROOT\LEGACY_MPKSLE57A2DE5\0000
    Service: MpKsle57a2de5
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl7ba6b06b
    Device ID: ROOT\LEGACY_MPKSL7BA6B06B\0000
    Manufacturer:
    Name: MpKsl7ba6b06b
    PNP Device ID: ROOT\LEGACY_MPKSL7BA6B06B\0000
    Service: MpKsl7ba6b06b
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsla259bee7
    Device ID: ROOT\LEGACY_MPKSLA259BEE7\0000
    Manufacturer:
    Name: MpKsla259bee7
    PNP Device ID: ROOT\LEGACY_MPKSLA259BEE7\0000
    Service: MpKsla259bee7
    .
    ==== System Restore Points ===================
    .
    RP21: 12/29/2011 7:37:58 PM - Windows 7 Service Pack 1
    RP23: 12/30/2011 8:42:36 AM - Installed DirectX
    RP25: 1/1/2012 9:43:57 AM - Windows Update
    RP26: 1/3/2012 10:48:07 AM - Windows Update
    RP27: 1/7/2012 10:17:25 AM - Windows Update
    RP28: 1/10/2012 2:17:51 PM - Windows Update
    RP29: 1/11/2012 9:09:39 AM - Windows Update
    RP30: 1/11/2012 2:00:37 PM - Restore Operation
    RP31: 1/11/2012 2:13:22 PM - Windows Update
    RP32: 1/11/2012 5:18:50 PM - Installed Microsoft Office Standard Edition 2003
    RP33: 1/11/2012 5:26:58 PM - Windows Update
    RP34: 1/11/2012 6:05:01 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.3.4
    Bejeweled 2 Deluxe
    CCleaner
    Chuzzle Deluxe
    D3DX10
    FATE - The Traitor Soul
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Governor of Poker 2 Premium Edition
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 20
    Jewel Quest - Heritage
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.60.0.1800
    Media Player Classic - Home Cinema v1.5.2.3456
    Mesh Runtime
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Standard Edition 2003
    Microsoft Office Starter 2010 - English
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    Mystery P.I. - The London Caper
    Plants vs. Zombies - Game of the Year
    PlayReady PC Runtime x86
    Polar Bowler
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype Launcher
    Slingo Supreme
    Spyware Doctor 8.0
    Synaptics Pointing Device Driver
    Toshiba App Place
    TOSHIBA Application and Driver Installer
    TOSHIBA Assist
    Toshiba Book Place
    TOSHIBA Bulletin Board
    TOSHIBA Disc Creator
    TOSHIBA eco Utility
    TOSHIBA Flash Cards Support Utility
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    Toshiba Laptop Checkup
    TOSHIBA Media Controller
    Toshiba Online Backup
    TOSHIBA Quality Application
    TOSHIBA Recovery Media Creator
    TOSHIBA ReelTime
    TOSHIBA Service Station
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    TOSHIBA Web Camera Application
    ToshibaRegistration
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Utility Common Driver
    VLC media player 1.1.11
    WeatherBug
    WildTangent Games
    WildTangent ORB Game Console
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/9/2012 9:45:05 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    1/9/2012 8:42:53 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
    1/9/2012 5:57:42 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID {D3DCB472-7261-43CE-924B-0704BD730D5F} to the user Netbook\Evan SID (S-1-5-21-3793523996-3693569771-4273842782-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/9/2012 5:57:42 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID {145B4335-FE2A-4927-A040-7C35AD3180EF} to the user Netbook\Evan SID (S-1-5-21-3793523996-3693569771-4273842782-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/9/2012 5:47:43 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR5.
    1/12/2012 7:55:30 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    1/12/2012 10:18:27 AM, Error: RTL8192Ce [0] -
    1/11/2012 8:55:42 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the PCCUJobMgr service.
    1/11/2012 7:53:38 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    1/11/2012 5:24:43 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} and APPID {9209B1A6-964A-11D0-9372-00A0C9034910} to the user Netbook\Evan SID (S-1-5-21-3793523996-3693569771-4273842782-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    1/11/2012 5:24:34 PM, Error: Service Control Manager [7030] - The Machine Debug Manager service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    1/11/2012 2:21:58 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 (KB2644615).
    1/11/2012 2:17:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 (KB2631813).
    1/11/2012 2:17:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x8024200d: Security Update for Windows 7 (KB2584146).
    1/11/2012 2:03:52 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    1/11/2012 11:35:33 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    1/11/2012 11:35:32 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    1/11/2012 11:35:31 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/11/2012 11:05:46 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/10/2012 8:32:54 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
    1/10/2012 7:30:51 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BITS service.
    1/10/2012 7:30:51 AM, Error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:29:51 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
    1/10/2012 7:29:51 AM, Error: Service Control Manager [7000] - The Windows Update service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:29:21 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    1/10/2012 7:27:19 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft Network Inspection service to connect.
    1/10/2012 7:27:19 AM, Error: Service Control Manager [7000] - The Microsoft Network Inspection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:26:49 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AeLookupSvc service.
    1/10/2012 7:26:49 AM, Error: Service Control Manager [7000] - The Application Experience service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:26:19 AM, Error: Service Control Manager [7022] - The Application Virtualization Client service hung on starting.
    1/10/2012 7:26:19 AM, Error: Service Control Manager [7001] - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    1/10/2012 7:25:48 AM, Error: Service Control Manager [7022] - The Common Client Job Manager Service service hung on starting.
    1/10/2012 7:25:43 AM, Error: Service Control Manager [7022] - The Diagnostic Policy Service service hung on starting.
    1/10/2012 7:24:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Winmgmt service.
    1/10/2012 7:24:23 AM, Error: Service Control Manager [7001] - The TOSHIBA eco Utility Service service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:23:52 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Toshiba Laptop Checkup Application Launcher service to connect.
    1/10/2012 7:23:52 AM, Error: Service Control Manager [7000] - The Toshiba Laptop Checkup Application Launcher service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:23:21 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
    1/10/2012 7:23:21 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:23:21 AM, Error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:22:50 AM, Error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:22:20 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    1/10/2012 7:21:50 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EapHost service.
    1/10/2012 7:21:50 AM, Error: Service Control Manager [7001] - The WLAN AutoConfig service depends on the Extensible Authentication Protocol service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:21:50 AM, Error: Service Control Manager [7000] - The Extensible Authentication Protocol service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/10/2012 7:21:23 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x816cc348, 0x00000002, 0x00000000, 0x81c6cefd). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 011012-38906-01.
    .
    ==== End Of File ===========================
  2. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    I don't see any AV program running.

    Install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan, report on any findings.

    When done....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  3. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I uninstalled Microsoft Security Essentials to run the other scans thinking it might interfere. I then reinstalled and ran a quick scan. It found nothing. Here are the logs of the additional two programs you asked me to run:

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-12 18:40:00
    -----------------------------
    18:40:00.405 OS Version: Windows 6.1.7601 Service Pack 1
    18:40:00.405 Number of processors: 2 586 0x1C0A
    18:40:00.415 ComputerName: NETBOOK UserName: Evan
    18:40:06.736 Initialize success
    18:42:28.817 AVAST engine defs: 12011201
    18:42:35.456 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
    18:42:35.464 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 238475MB BusType: 3
    18:42:35.501 Disk 0 MBR read successfully
    18:42:35.509 Disk 0 MBR scan
    18:42:35.879 Disk 0 Windows VISTA default MBR code
    18:42:35.915 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
    18:42:36.312 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 228589 MB offset 3074048
    18:42:36.542 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 8385 MB offset 471224320
    18:42:36.752 Disk 0 scanning sectors +488396800
    18:42:37.289 Disk 0 scanning C:\windows\system32\drivers
    18:44:01.502 Service scanning
    18:44:03.472 Service MpKslf5feab3e c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CA3FEA75-E73A-44E9-802F-52B71B5EE117}\MpKslf5feab3e.sys **LOCKED** 32
    18:44:03.492 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
    18:44:05.620 Modules scanning
    18:45:40.128 Disk 0 trace - called modules:
    18:45:40.178 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys iaStor.sys halmacpi.dll
    18:45:40.198 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86123030]
    18:45:40.218 3 CLASSPNP.SYS[86d8559e] -> nt!IofCallDriver -> [0x861218e0]
    18:45:40.238 5 PCTCore.sys[86830099] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84610028]
    18:45:41.038 AVAST engine scan C:\windows
    18:46:39.848 AVAST engine scan C:\windows\system32
    19:03:31.822 AVAST engine scan C:\windows\system32\drivers
    19:06:56.368 AVAST engine scan C:\Users\Evan
    19:14:58.045 AVAST engine scan C:\ProgramData
    19:18:33.063 Scan finished successfully
    20:44:22.190 Disk 0 MBR has been saved successfully to "C:\Users\Evan\Desktop\MBR.dat"
    20:44:22.540 The log file has been saved successfully to "C:\Users\Evan\Desktop\aswMBR.txt"

    --------------------------------

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Starter Edition Service Pack 1 (build 7601), 32-
    bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    --------------------------------------------
  4. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Looks good.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I ran combofix successfully without needing to use rkill. Combofix first found a rootkit virus (file?) and rebooted the machine, then it ran 50 stages or so and produced the following log file:

    ComboFix 12-01-12.04 - Evan 01/12/2012 22:33:23.1.2 - x86
    Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1013.423 [GMT -7:00]
    Running from: c:\users\Evan\Desktop\ComboFix.exe
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\xp
    c:\programdata\xp\EBLib.dll
    c:\programdata\xp\TPwSav.sys
    c:\windows\$NtUninstallKB59561$
    c:\windows\$NtUninstallKB59561$\261678897\cfg.ini
    c:\windows\$NtUninstallKB59561$\3897946129
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-13 05:53 . 2012-01-13 05:56 -------- d-----w- c:\users\Evan\AppData\Local\temp
    2012-01-13 05:53 . 2012-01-13 05:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-13 05:28 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-01-13 05:01 . 2012-01-13 05:35 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09DEE56E-8103-47C7-B9B3-2C487F38B099}\offreg.dll
    2012-01-12 17:16 . 2012-01-12 17:16 0 ----a-w- c:\windows\system32\shoFC3A.tmp
    2012-01-12 01:04 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-12 01:04 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-12 01:04 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-12 01:04 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-12 01:04 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-12 01:04 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-01-12 01:04 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-12 01:04 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-12 01:04 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-12 01:04 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-12 00:24 . 2007-04-09 20:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
    2012-01-12 00:24 . 2007-04-09 20:23 28040 ----a-w- c:\windows\system32\mdimon.dll
    2012-01-12 00:21 . 2012-01-12 00:21 -------- d-----w- c:\program files\Common Files\L&H
    2012-01-12 00:21 . 2012-01-12 00:21 -------- d-----w- c:\program files\Microsoft ActiveSync
    2012-01-12 00:21 . 2012-01-12 01:21 -------- d-----w- c:\program files\Microsoft Works
    2012-01-12 00:20 . 2012-01-12 00:21 -------- d-----w- c:\windows\SHELLNEW
    2012-01-12 00:17 . 2012-01-12 00:17 -------- d-----r- C:\MSOCache
    2012-01-11 23:50 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-11 23:43 . 2012-01-11 23:43 -------- d-----w- c:\program files\CCleaner
    2012-01-11 23:38 . 2012-01-12 01:38 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-11 23:38 . 2012-01-11 23:38 -------- d-----w- c:\programdata\HitmanPro
    2012-01-11 21:40 . 2011-11-30 09:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09DEE56E-8103-47C7-B9B3-2C487F38B099}\mpengine.dll
    2012-01-11 21:37 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2012-01-11 21:37 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2012-01-11 21:37 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2012-01-11 21:37 . 2010-11-17 17:19 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
    2012-01-11 21:37 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2012-01-11 21:37 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2012-01-11 21:37 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2012-01-11 21:22 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 21:22 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 21:22 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 21:22 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 18:06 . 2012-01-11 23:44 -------- d-----w- c:\users\Evan\AppData\Local\CrashDumps
    2012-01-11 17:58 . 2012-01-12 17:34 -------- d-----w- c:\program files\PC Tools Security
    2012-01-11 17:58 . 2012-01-11 18:02 -------- d-----w- c:\program files\Common Files\PC Tools
    2012-01-11 17:58 . 2012-01-11 17:58 -------- d-----w- c:\programdata\PC Tools
    2012-01-11 17:58 . 2012-01-11 17:58 -------- d-----w- c:\users\Evan\AppData\Roaming\PC Tools
    2012-01-10 04:47 . 2012-01-10 04:47 -------- d-----w- c:\users\Evan\AppData\Roaming\Malwarebytes
    2012-01-10 04:47 . 2012-01-10 04:47 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 04:47 . 2012-01-11 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-05 16:07 . 2012-01-05 16:07 -------- d-----w- c:\users\Evan\AppData\Local\Adobe
    2011-12-30 15:43 . 2008-05-30 21:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
    2011-12-30 15:38 . 2012-01-11 23:45 -------- d-----w- c:\users\Evan\AppData\Roaming\Media Player Classic
    2011-12-30 15:37 . 2011-12-30 15:37 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
    2011-12-30 04:42 . 2011-12-30 04:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-30 02:38 . 2011-12-30 02:38 -------- d-----w- c:\windows\system32\SPReview
    2011-12-30 02:13 . 2011-12-30 02:13 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-21 06:07 . 2011-12-21 06:07 0 ----a-w- c:\windows\system32\sho967A.tmp
    2011-12-21 01:17 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-12-21 01:17 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-12-21 01:17 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-12-21 01:04 . 2011-12-21 01:04 0 ----a-w- c:\windows\system32\sho1F2C.tmp
    2011-12-19 14:43 . 2010-11-20 12:19 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-12-19 14:42 . 2010-11-20 12:20 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
    2011-12-19 14:41 . 2010-11-20 12:21 352768 ----a-w- c:\windows\system32\termmgr.dll
    2011-12-19 14:40 . 2010-11-20 12:21 196608 ----a-w- c:\windows\system32\wwanconn.dll
    2011-12-19 14:39 . 2010-11-20 12:21 11264 ----a-w- c:\windows\system32\wshirda.dll
    2011-12-19 14:38 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-12-19 14:38 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2011-12-19 14:22 . 2012-01-12 00:20 -------- d-----w- c:\program files\Microsoft.NET
    2011-12-18 02:45 . 2011-12-19 22:47 -------- d-----w- c:\programdata\VirtualizedApplications
    2011-12-18 00:15 . 2011-12-18 00:15 -------- d-----w- c:\users\Evan\AppData\Local\SoftGrid Client
    2011-12-18 00:15 . 2012-01-13 05:29 -------- d-----w- c:\users\Evan\AppData\Roaming\SoftGrid Client
    2011-12-18 00:13 . 2011-12-21 15:01 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
    2011-12-18 00:12 . 2011-12-18 00:15 -------- d-----w- c:\users\Evan\AppData\Roaming\TP
    2011-12-15 18:02 . 2011-12-15 18:02 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-12-15 17:45 . 2011-12-15 17:45 -------- d-----w- c:\users\Evan\AppData\Local\Tific
    2011-12-15 17:45 . 2011-12-15 17:45 -------- d-----w- c:\users\Evan\AppData\Roaming\Tific
    2011-12-14 21:03 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 21:03 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 21:02 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 21:02 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 21:02 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 21:02 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-14 15:43 . 2012-01-11 21:29 -------- d-----w- c:\users\Evan\AppData\Roaming\vlc
    2011-12-14 15:40 . 2011-12-14 15:40 -------- d-----w- c:\program files\VideoLAN
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-30 03:32 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-12-11 00:11 . 2011-12-11 00:11 13 --sh--r- c:\windows\system32\drivers\fbd.sys
    2011-12-10 21:18 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-15 21:29 . 2011-12-11 00:35 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2011-10-05 1652736]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-05 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-01 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-01 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-01 150552]
    "SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-03-04 352256]
    "HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-05 425984]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2010-09-14 35440]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2010-09-28 521640]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-05-09 742776]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-17 9874024]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RtHDVBg.exe" [2010-11-11 1522280]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-11 1697064]
    "Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2010-11-12 1349032]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
    "TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-05-02 2454840]
    "ToshibaAppPlace"="c:\program files\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
    "NortonOnlineBackupReminder"="c:\program files\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 611672]
    "TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-07-10 31648]
    "TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-04-23 467816]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R1 MpKsl7ba6b06b;MpKsl7ba6b06b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E783B292-B782-4DF4-80E8-A4E208B68881}\MpKsl7ba6b06b.sys [x]
    R1 MpKsla259bee7;MpKsla259bee7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E783B292-B782-4DF4-80E8-A4E208B68881}\MpKsla259bee7.sys [x]
    R1 MpKsld21c3acf;MpKsld21c3acf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4CDF8B9-2338-42E7-BA87-D91CC21CD692}\MpKsld21c3acf.sys [x]
    R1 MpKsld4d09d5d;MpKsld4d09d5d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D483DE3-822A-4856-9C39-C69CD0DA6925}\MpKsld4d09d5d.sys [x]
    R1 MpKsle57a2de5;MpKsle57a2de5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D483DE3-822A-4856-9C39-C69CD0DA6925}\MpKsle57a2de5.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 136176]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-07-21 194664]
    R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
    S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
    S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 IconMan_R;IconMan_R;c:\program files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-05 1809920]
    S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2010-10-20 115056]
    S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2009-08-24 126392]
    S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-11-12 189880]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-10-19 999016]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 111960]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 01:41]
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 01:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
    "ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\TODDSrv.exe
    c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\windows\system32\igfxext.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 23:04:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-13 06:04
    .
    Pre-Run: 208,400,834,560 bytes free
    Post-Run: 208,440,025,088 bytes free
    .
    - - End Of File - - 037AF9A838D68B3C2D4C581425D3CC86
  6. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    This morning the computer continues to have CPU usage hovering consistently around 65% with frequent spikes to 80 and 100%. I have no programs running and I have not yet re-installed an anti-virus program so it's not that either. The fan is running on medium-high and the CPU is churning, yet I'm not using the computer to do anything. Physical memory usage, according to task manager, is hovering around 800MB. This behavior, again, is significantly different than before I got infected with the google redirect virus. Even though I'm not redirecting anymore, my system seems to be working really hard on something, I just don't know what. If I were to travel with this netbook on battery power, it would be drained in an hour or less because of this phantom activity. Just wanted to add this info for your analysis. Thanks.
  7. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    You didn't follow:
    Why?

    ===============================================================

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\shoFC3A.tmp
    c:\windows\system32\sho967A.tmp
    c:\windows\system32\sho1F2C.tmp
    
    DDS::
    uInternet Settings,ProxyOverride = <local>
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  8. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I did run an A/V program when you instructed me to (Microsoft Security Essentials), but it returned zero problems so I didn't post the log. Sorry about that.

    I will run the CFScript.txt with Combofix now and report back.
  9. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Did you INSTALL Microsoft Security Essentials?
  10. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Yes. Before I ran Combofix the first time, I reinstalled MSE, ran a quick scan, it said there were no problems, and then I uninstalled it completely instead of just turning off the monitoring feature before I ran Combofix the first time. I have not reinstalled it since. I currently do not have an antivirus program running, and I disabled Windows defender and Windows firewall as well before running Combofix the first time and again this time. Combofix is currently running.

    Note: I dragged the CFScript onto the Combofix icon as you instructed. Combofix launched, then said there was a newer version would I like to download it. I clicked "Yes" and Combofix installed the newer version and then launched itself again to run the current scan. Just wanted you to know in case installing the new version negated the CFScript you had me use to launch Combofix in the first place.
  11. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    No.

    Then....Never turn Windows firewall off.
    It's not in my instructions and it's dangerous.

    Reinstall MSE after running Combofix.
    There is no need to uninstall it.
  12. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Here is my Combofix log:
    ComboFix 12-01-13.03 - Evan 01/13/2012 9:53.2.2 - x86
    Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1013.291 [GMT -7:00]
    Running from: c:\users\Evan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Evan\Desktop\CFScript.txt
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\system32\sho1F2C.tmp"
    "c:\windows\system32\sho967A.tmp"
    "c:\windows\system32\shoFC3A.tmp"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-13 17:15 . 2012-01-13 17:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-13 05:53 . 2012-01-13 17:15 -------- d-----w- c:\users\Evan\AppData\Local\temp
    2012-01-13 05:28 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-01-13 05:01 . 2012-01-13 06:00 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09DEE56E-8103-47C7-B9B3-2C487F38B099}\offreg.dll
    2012-01-12 17:16 . 2012-01-12 17:16 0 ----a-w- c:\windows\system32\shoFC3A.tmp
    2012-01-12 01:04 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2012-01-12 01:04 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
    2012-01-12 01:04 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-12 01:04 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-12 01:04 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
    2012-01-12 01:04 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
    2012-01-12 01:04 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
    2012-01-12 01:04 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
    2012-01-12 01:04 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
    2012-01-12 01:04 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
    2012-01-12 00:24 . 2007-04-09 20:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
    2012-01-12 00:24 . 2007-04-09 20:23 28040 ----a-w- c:\windows\system32\mdimon.dll
    2012-01-12 00:21 . 2012-01-12 00:21 -------- d-----w- c:\program files\Common Files\L&H
    2012-01-12 00:21 . 2012-01-12 00:21 -------- d-----w- c:\program files\Microsoft ActiveSync
    2012-01-12 00:21 . 2012-01-12 01:21 -------- d-----w- c:\program files\Microsoft Works
    2012-01-12 00:20 . 2012-01-12 00:21 -------- d-----w- c:\windows\SHELLNEW
    2012-01-12 00:17 . 2012-01-12 00:17 -------- d-----r- C:\MSOCache
    2012-01-11 23:50 . 2011-12-10 22:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-11 23:43 . 2012-01-11 23:43 -------- d-----w- c:\program files\CCleaner
    2012-01-11 23:38 . 2012-01-12 01:38 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-11 23:38 . 2012-01-11 23:38 -------- d-----w- c:\programdata\HitmanPro
    2012-01-11 21:40 . 2011-11-30 09:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{09DEE56E-8103-47C7-B9B3-2C487F38B099}\mpengine.dll
    2012-01-11 21:37 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2012-01-11 21:37 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2012-01-11 21:37 . 2010-11-17 17:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2012-01-11 21:37 . 2010-11-17 17:19 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
    2012-01-11 21:37 . 2010-11-25 17:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2012-01-11 21:37 . 2010-11-25 17:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2012-01-11 21:37 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2012-01-11 21:22 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 21:22 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 21:22 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 21:22 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 18:06 . 2012-01-11 23:44 -------- d-----w- c:\users\Evan\AppData\Local\CrashDumps
    2012-01-11 17:58 . 2012-01-12 17:34 -------- d-----w- c:\program files\PC Tools Security
    2012-01-11 17:58 . 2012-01-11 18:02 -------- d-----w- c:\program files\Common Files\PC Tools
    2012-01-11 17:58 . 2012-01-11 17:58 -------- d-----w- c:\programdata\PC Tools
    2012-01-11 17:58 . 2012-01-11 17:58 -------- d-----w- c:\users\Evan\AppData\Roaming\PC Tools
    2012-01-10 04:47 . 2012-01-10 04:47 -------- d-----w- c:\users\Evan\AppData\Roaming\Malwarebytes
    2012-01-10 04:47 . 2012-01-10 04:47 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 04:47 . 2012-01-11 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-05 16:07 . 2012-01-05 16:07 -------- d-----w- c:\users\Evan\AppData\Local\Adobe
    2011-12-30 15:43 . 2008-05-30 21:11 467984 ----a-w- c:\windows\system32\d3dx10_38.dll
    2011-12-30 15:38 . 2012-01-11 23:45 -------- d-----w- c:\users\Evan\AppData\Roaming\Media Player Classic
    2011-12-30 15:37 . 2011-12-30 15:37 -------- d-----w- c:\program files\Media Player Classic - Home Cinema
    2011-12-30 04:42 . 2011-12-30 04:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-30 02:38 . 2011-12-30 02:38 -------- d-----w- c:\windows\system32\SPReview
    2011-12-30 02:13 . 2011-12-30 02:13 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-21 06:07 . 2011-12-21 06:07 0 ----a-w- c:\windows\system32\sho967A.tmp
    2011-12-21 01:17 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
    2011-12-21 01:17 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
    2011-12-21 01:17 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-12-21 01:04 . 2011-12-21 01:04 0 ----a-w- c:\windows\system32\sho1F2C.tmp
    2011-12-19 14:43 . 2010-11-20 12:19 1019904 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-12-19 14:42 . 2010-11-20 12:20 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
    2011-12-19 14:41 . 2010-11-20 12:21 352768 ----a-w- c:\windows\system32\termmgr.dll
    2011-12-19 14:40 . 2010-11-20 12:21 196608 ----a-w- c:\windows\system32\wwanconn.dll
    2011-12-19 14:39 . 2010-11-20 12:21 11264 ----a-w- c:\windows\system32\wshirda.dll
    2011-12-19 14:38 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-12-19 14:38 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
    2011-12-19 14:22 . 2012-01-12 00:20 -------- d-----w- c:\program files\Microsoft.NET
    2011-12-18 02:45 . 2011-12-19 22:47 -------- d-----w- c:\programdata\VirtualizedApplications
    2011-12-18 00:15 . 2011-12-18 00:15 -------- d-----w- c:\users\Evan\AppData\Local\SoftGrid Client
    2011-12-18 00:15 . 2012-01-13 05:29 -------- d-----w- c:\users\Evan\AppData\Roaming\SoftGrid Client
    2011-12-18 00:13 . 2011-12-21 15:01 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
    2011-12-18 00:12 . 2011-12-18 00:15 -------- d-----w- c:\users\Evan\AppData\Roaming\TP
    2011-12-15 18:02 . 2011-12-15 18:02 748336 ----a-w- c:\program files\Internet Explorer\iexplore.exe
    2011-12-15 17:45 . 2011-12-15 17:45 -------- d-----w- c:\users\Evan\AppData\Local\Tific
    2011-12-15 17:45 . 2011-12-15 17:45 -------- d-----w- c:\users\Evan\AppData\Roaming\Tific
    2011-12-14 21:03 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 21:03 . 2011-11-05 04:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 21:02 . 2011-11-24 04:25 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 21:02 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 21:02 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 21:02 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-30 03:32 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-12-11 00:11 . 2011-12-11 00:11 13 --sh--r- c:\windows\system32\drivers\fbd.sys
    2011-12-10 21:18 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-11-15 21:29 . 2011-12-11 00:35 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2011-10-05 1652736]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-05 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-10-01 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-10-01 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-10-01 150552]
    "SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-03-04 352256]
    "HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-05 425984]
    "KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2010-09-14 35440]
    "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2010-09-28 521640]
    "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
    "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-05-09 742776]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-17 9874024]
    "RtHDVBg"="c:\program files\Realtek\Audio\HDA\RtHDVBg.exe" [2010-11-11 1522280]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-03-11 1697064]
    "Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2010-11-12 1349032]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
    "TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-05-02 2454840]
    "ToshibaAppPlace"="c:\program files\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
    "NortonOnlineBackupReminder"="c:\program files\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]
    "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 22840]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 611672]
    "TosReelTimeMonitor"="c:\program files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [2010-07-10 31648]
    "TosNC"="c:\program files\Toshiba\BulletinBoard\TosNcCore.exe" [2010-04-23 467816]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R1 MpKsl7ba6b06b;MpKsl7ba6b06b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E783B292-B782-4DF4-80E8-A4E208B68881}\MpKsl7ba6b06b.sys [x]
    R1 MpKsla259bee7;MpKsla259bee7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E783B292-B782-4DF4-80E8-A4E208B68881}\MpKsla259bee7.sys [x]
    R1 MpKsld21c3acf;MpKsld21c3acf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4CDF8B9-2338-42E7-BA87-D91CC21CD692}\MpKsld21c3acf.sys [x]
    R1 MpKsld4d09d5d;MpKsld4d09d5d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D483DE3-822A-4856-9C39-C69CD0DA6925}\MpKsld4d09d5d.sys [x]
    R1 MpKsle57a2de5;MpKsle57a2de5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D483DE3-822A-4856-9C39-C69CD0DA6925}\MpKsle57a2de5.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 136176]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 136176]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-07-21 194664]
    R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-25 239168]
    S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
    S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 IconMan_R;IconMan_R;c:\program files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-05 1809920]
    S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2010-10-20 115056]
    S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2009-08-24 126392]
    S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-11-12 189880]
    S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-10-19 999016]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-09-14 577384]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-09-14 194408]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-09-14 21864]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-09-14 19304]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 111960]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 01:41]
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-05 01:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    TCP: DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
    "ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-01-13 10:23:18
    ComboFix-quarantined-files.txt 2012-01-13 17:23
    ComboFix2.txt 2012-01-13 06:04
    .
    Pre-Run: 207,960,555,520 bytes free
    Post-Run: 207,780,663,296 bytes free
    .
    - - End Of File - - 362154F25FA550A5684AAB5748B377AC
  13. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    How is computer doing?

    Don't forget to reinstall MSE before next step.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Post will be too long with both logs, so I will post OTL here and the OTL Extra log in another post immediately following. My machine seems to have calmed down some. CPU usage is ranging from 5 to 15% when idle, memory usage still seems high around 800MB. The fan isn't running as high as often as it was. Here is the OTL log. Extras log will follow in the next post:

    OTL logfile created on: 1/13/2012 10:46:46 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Evan\Desktop
    Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1013.42 Mb Total Physical Memory | 436.32 Mb Available Physical Memory | 43.05% Memory free
    1.99 Gb Paging File | 1.01 Gb Available in Paging File | 50.56% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
    Drive C: | 223.23 Gb Total Space | 193.26 Gb Free Space | 86.57% Space Free | Partition Type: NTFS

    Computer Name: NETBOOK | User Name: Evan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/01/13 10:40:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Evan\Desktop\OTL.exe
    PRC - [2011/10/05 13:31:46 | 001,652,736 | R--- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
    PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
    PRC - [2011/04/27 15:39:26 | 000,228,520 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
    PRC - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/11/11 18:22:16 | 000,189,880 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TecoService.exe
    PRC - [2010/11/11 18:21:56 | 001,349,032 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\Teco.exe
    PRC - [2010/11/11 14:06:14 | 001,522,280 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
    PRC - [2010/10/20 14:40:16 | 000,128,416 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
    PRC - [2010/10/20 12:37:28 | 000,115,056 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe
    PRC - [2010/09/28 13:28:30 | 000,468,392 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    PRC - [2010/09/28 13:28:18 | 000,521,640 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    PRC - [2010/09/14 08:14:28 | 000,035,440 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
    PRC - [2010/09/14 05:46:26 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    PRC - [2010/09/14 05:46:16 | 000,508,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    PRC - [2010/08/04 18:11:34 | 001,809,920 | ---- | M] (Realsil Microelectronics Inc.) -- C:\Program Files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
    PRC - [2010/07/09 19:21:02 | 000,031,648 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
    PRC - [2010/05/08 18:02:06 | 000,742,776 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
    PRC - [2010/02/05 17:41:00 | 000,111,960 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    PRC - [2010/02/05 17:40:44 | 001,021,272 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    PRC - [2009/10/06 10:23:12 | 001,294,136 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    PRC - [2009/10/06 10:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    PRC - [2009/08/24 15:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
    PRC - [2009/07/28 15:00:10 | 000,460,088 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/01/11 18:09:37 | 000,212,992 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\6f2de1cb69aef1946760a70f355a3075\System.ServiceProcess.ni.dll
    MOD - [2012/01/11 18:03:21 | 012,433,408 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
    MOD - [2012/01/11 18:02:28 | 001,587,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
    MOD - [2012/01/11 18:00:08 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
    MOD - [2012/01/11 17:59:43 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
    MOD - [2012/01/11 17:59:36 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
    MOD - [2012/01/11 17:59:03 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
    MOD - [2010/04/07 17:06:58 | 009,487,672 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
    MOD - [2010/03/03 15:14:58 | 000,016,184 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnF11.dll
    MOD - [2010/03/03 15:14:56 | 000,016,184 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnF10.dll
    MOD - [2010/02/05 17:40:28 | 000,079,192 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
    MOD - [2009/11/03 14:26:26 | 000,058,680 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnZ.dll
    MOD - [2009/07/25 11:07:12 | 000,058,704 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Disc Creator\NotifyTDC.dll
    MOD - [2009/06/22 15:38:40 | 000,015,160 | ---- | M] () -- C:\Program Files\TOSHIBA\TOSHIBA Assist\NotifyX.dll
    MOD - [2009/03/12 20:08:04 | 000,049,152 | ---- | M] () -- C:\Program Files\TOSHIBA\PCDiag\NotifyPCD.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
    SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
    SRV - [2010/11/11 18:22:16 | 000,189,880 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
    SRV - [2010/10/20 14:40:16 | 000,128,416 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
    SRV - [2010/10/20 12:37:28 | 000,115,056 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe -- (Norton PC Checkup Application Launcher)
    SRV - [2010/09/28 13:28:30 | 000,468,392 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
    SRV - [2010/09/14 05:46:26 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
    SRV - [2010/09/14 05:46:16 | 000,508,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
    SRV - [2010/08/04 18:11:34 | 001,809,920 | ---- | M] (Realsil Microelectronics Inc.) [Auto | Running] -- C:\Program Files\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe -- (IconMan_R)
    SRV - [2010/07/28 14:36:52 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
    SRV - [2010/02/05 17:41:00 | 000,111,960 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
    SRV - [2009/10/06 10:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
    SRV - [2009/08/24 15:49:41 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe -- (PCCUJobMgr)
    SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2012/01/13 10:36:12 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3F7EFABA-903B-4A85-8A84-5FFE0B1FC8F4}\MpKsl56bd8148.sys -- (MpKsl56bd8148)
    DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
    DRV - [2010/11/25 10:43:00 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\windows\system32\drivers\PCTCore.sys -- (PCTCore)
    DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/10/18 17:46:40 | 000,999,016 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192ce.sys -- (RTL8192Ce)
    DRV - [2010/09/14 05:46:26 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
    DRV - [2010/09/14 05:46:22 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
    DRV - [2010/09/14 05:46:18 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
    DRV - [2010/09/14 05:46:14 | 000,577,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
    DRV - [2010/07/20 18:43:14 | 000,194,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\windows\system32\drivers\pctEFA.sys -- (pctEFA)
    DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\windows\system32\drivers\pctDS.sys -- (pctDS)
    DRV - [2009/07/30 22:02:34 | 000,036,208 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
    DRV - [2009/07/30 17:45:56 | 000,022,912 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
    DRV - [2009/07/14 16:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
    DRV - [2009/07/13 16:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\serial.sys -- (Serial)
    DRV - [2009/06/22 18:04:58 | 000,024,064 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    IE - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\pdf.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: YouTube = C:\Users\Evan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
    CHR - Extension: Google Search = C:\Users\Evan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
    CHR - Extension: Gmail = C:\Users\Evan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2012/01/12 22:55:42 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
    O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe (TOSHIBA CORPORATION)
    O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe (Toshiba)
    O4 - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA CORPORATION)
    O4 - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [ToshibaAppPlace] C:\Program Files\Toshiba\Toshiba App Place\ToshibaAppPlace.exe (Toshiba)
    O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TosNC] C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TosReelTimeMonitor] C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
    O4 - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3793523996-3693569771-4273842782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0E28DF56-F86F-418B-83B5-069A24F29196}: DhcpNameServer = 75.75.75.75 75.75.75.75 75.75.76.76
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/13 10:39:49 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Evan\Desktop\OTL.exe
    [2012/01/13 10:32:51 | 000,000,000 | ---D | C] -- C:\windows\TEMP
    [2012/01/13 10:30:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
    [2012/01/13 10:20:08 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/01/13 09:50:23 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/01/13 09:02:04 | 000,000,000 | ---D | C] -- C:\Users\Evan\Desktop\Fixes
    [2012/01/12 22:53:50 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Local\temp
    [2012/01/12 22:17:48 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
    [2012/01/12 22:17:48 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
    [2012/01/12 22:17:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
    [2012/01/12 22:17:28 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
    [2012/01/12 22:17:17 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/12 22:06:22 | 004,382,027 | R--- | C] (Swearware) -- C:\Users\Evan\Desktop\ComboFix.exe
    [2012/01/12 20:46:18 | 000,000,000 | ---D | C] -- C:\Users\Evan\Desktop\bootkit_remover
    [2012/01/12 18:38:46 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Users\Evan\Desktop\aswMBR.exe
    [2012/01/12 15:21:48 | 000,000,000 | ---D | C] -- C:\Users\Evan\Documents\Logs
    [2012/01/11 17:21:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
    [2012/01/11 17:21:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\L&H
    [2012/01/11 17:21:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
    [2012/01/11 17:21:00 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
    [2012/01/11 17:20:40 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
    [2012/01/11 17:20:26 | 000,000,000 | ---D | C] -- C:\windows\SHELLNEW
    [2012/01/11 17:17:02 | 000,000,000 | R--D | C] -- C:\MSOCache
    [2012/01/11 16:50:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/11 16:50:05 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
    [2012/01/11 16:43:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    [2012/01/11 16:43:18 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2012/01/11 16:38:10 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
    [2012/01/11 14:37:54 | 000,656,320 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\pctEFA.sys
    [2012/01/11 14:37:54 | 000,338,880 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\pctDS.sys
    [2012/01/11 14:37:53 | 000,249,616 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\pctgntdi.sys
    [2012/01/11 14:37:53 | 000,102,184 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\pctwfpfilter.sys
    [2012/01/11 14:37:50 | 000,239,168 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\PCTCore.sys
    [2012/01/11 14:37:50 | 000,160,448 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\PCTAppEvent.sys
    [2012/01/11 14:37:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
    [2012/01/11 14:37:42 | 000,070,536 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\pctplsg.sys
    [2012/01/11 11:06:06 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Local\CrashDumps
    [2012/01/11 10:58:09 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
    [2012/01/11 10:58:09 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\PC Tools
    [2012/01/11 10:58:09 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
    [2012/01/11 10:58:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
    [2012/01/11 10:55:32 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2012/01/11 10:54:36 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
    [2012/01/09 21:47:42 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\Malwarebytes
    [2012/01/09 21:47:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/01/09 21:47:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/01/05 09:07:44 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Local\Adobe
    [2011/12/30 08:40:07 | 000,000,000 | ---D | C] -- C:\windows\System32\directx
    [2011/12/30 08:38:24 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\Media Player Classic
    [2011/12/30 08:37:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Player Classic - Home Cinema
    [2011/12/30 08:37:20 | 000,000,000 | ---D | C] -- C:\Program Files\Media Player Classic - Home Cinema
    [2011/12/29 19:38:19 | 000,000,000 | ---D | C] -- C:\windows\System32\SPReview
    [2011/12/29 19:13:12 | 000,000,000 | ---D | C] -- C:\windows\System32\EventProviders
    [2011/12/19 15:51:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)
    [2011/12/19 07:41:14 | 000,093,696 | ---- | C] (Windows (R) Codename Longhorn DDK provider) -- C:\windows\System32\fms.dll
    [2011/12/19 07:22:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
    [2011/12/17 19:45:49 | 000,000,000 | ---D | C] -- C:\ProgramData\VirtualizedApplications
    [2011/12/17 17:15:40 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Local\SoftGrid Client
    [2011/12/17 17:15:36 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\SoftGrid Client
    [2011/12/17 17:13:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
    [2011/12/17 17:13:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Application Virtualization Client
    [2011/12/17 17:12:52 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\TP
    [2011/12/15 10:45:27 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Local\Tific
    [2011/12/15 10:45:25 | 000,000,000 | ---D | C] -- C:\Users\Evan\AppData\Roaming\Tific
    [3 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/13 10:46:24 | 000,007,617 | ---- | M] () -- C:\Users\Evan\AppData\Local\Resmon.ResmonCfg
    [2012/01/13 10:40:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Evan\Desktop\OTL.exe
    [2012/01/13 10:31:35 | 000,001,945 | ---- | M] () -- C:\windows\epplauncher.mif
    [2012/01/13 10:31:11 | 000,626,722 | ---- | M] () -- C:\windows\System32\perfh009.dat
    [2012/01/13 10:31:11 | 000,107,708 | ---- | M] () -- C:\windows\System32\perfc009.dat
    [2012/01/13 10:31:02 | 000,000,900 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/01/13 09:49:31 | 004,382,027 | R--- | M] (Swearware) -- C:\Users\Evan\Desktop\ComboFix.exe
    [2012/01/13 09:38:52 | 000,001,304 | ---- | M] () -- C:\Users\Evan\Desktop\Notepad.lnk
    [2012/01/13 08:03:13 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2012/01/12 23:02:55 | 000,014,304 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/01/12 23:02:55 | 000,014,304 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/01/12 22:55:42 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
    [2012/01/12 22:55:14 | 000,000,896 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/01/12 22:54:40 | 796,987,392 | -HS- | M] () -- C:\hiberfil.sys
    [2012/01/12 22:07:08 | 001,008,141 | ---- | M] () -- C:\Users\Evan\Desktop\rkill (2).exe
    [2012/01/12 22:06:48 | 001,008,141 | ---- | M] () -- C:\Users\Evan\Desktop\rkill (1).com
    [2012/01/12 20:44:22 | 000,000,512 | ---- | M] () -- C:\Users\Evan\Desktop\MBR.dat
    [2012/01/12 18:39:40 | 000,044,607 | ---- | M] () -- C:\Users\Evan\Desktop\bootkit_remover.zip
    [2012/01/12 18:39:25 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\Evan\Desktop\aswMBR.exe
    [2012/01/11 18:38:04 | 000,023,624 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro36.sys
    [2012/01/11 18:27:15 | 000,290,664 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
    [2012/01/11 18:01:49 | 001,443,646 | ---- | M] () -- C:\windows\System32\drivers\Cat.DB
    [2012/01/11 17:24:32 | 000,000,376 | ---- | M] () -- C:\windows\ODBC.INI
    [2012/01/11 16:50:09 | 000,001,106 | ---- | M] () -- C:\Users\Evan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/11 16:50:09 | 000,001,082 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/11 16:43:20 | 000,000,980 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012/01/11 14:37:48 | 000,002,035 | ---- | M] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
    [2012/01/09 21:44:13 | 000,012,358 | -HS- | M] () -- C:\Users\Evan\AppData\Local\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
    [2012/01/09 21:44:13 | 000,012,358 | -HS- | M] () -- C:\ProgramData\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
    [2012/01/02 11:50:00 | 000,005,424 | ---- | M] () -- C:\Users\Evan\Documents\Nobody Understands Debt - Jan 1 2012 - Krugman OpEd.rtf
    [2011/12/15 11:09:03 | 000,001,422 | ---- | M] () -- C:\Users\Evan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/12/15 11:02:07 | 000,072,822 | ---- | M] () -- C:\windows\System32\ieuinit.inf
    [3 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/13 10:30:59 | 000,001,908 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    [2012/01/13 09:38:52 | 000,001,304 | ---- | C] () -- C:\Users\Evan\Desktop\Notepad.lnk
    [2012/01/12 22:17:48 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
    [2012/01/12 22:17:48 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
    [2012/01/12 22:17:47 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
    [2012/01/12 22:17:47 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
    [2012/01/12 22:17:47 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
    [2012/01/12 22:07:04 | 001,008,141 | ---- | C] () -- C:\Users\Evan\Desktop\rkill (2).exe
    [2012/01/12 22:06:47 | 001,008,141 | ---- | C] () -- C:\Users\Evan\Desktop\rkill (1).com
    [2012/01/12 20:44:22 | 000,000,512 | ---- | C] () -- C:\Users\Evan\Desktop\MBR.dat
    [2012/01/12 18:39:40 | 000,044,607 | ---- | C] () -- C:\Users\Evan\Desktop\bootkit_remover.zip
    [2012/01/11 17:24:32 | 000,000,376 | ---- | C] () -- C:\windows\ODBC.INI
    [2012/01/11 16:50:09 | 000,001,106 | ---- | C] () -- C:\Users\Evan\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/11 16:50:09 | 000,001,082 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/11 16:43:19 | 000,000,980 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012/01/11 16:38:41 | 000,023,624 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro36.sys
    [2012/01/11 14:37:48 | 000,002,035 | ---- | C] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
    [2012/01/11 14:10:03 | 001,443,646 | ---- | C] () -- C:\windows\System32\drivers\Cat.DB
    [2012/01/11 11:30:02 | 000,007,617 | ---- | C] () -- C:\Users\Evan\AppData\Local\Resmon.ResmonCfg
    [2012/01/09 21:39:15 | 000,012,358 | -HS- | C] () -- C:\ProgramData\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
    [2012/01/09 21:39:14 | 000,012,358 | -HS- | C] () -- C:\Users\Evan\AppData\Local\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
    [2012/01/02 11:50:00 | 000,005,424 | ---- | C] () -- C:\Users\Evan\Documents\Nobody Understands Debt - Jan 1 2012 - Krugman OpEd.rtf
    [2011/12/19 07:43:48 | 000,146,852 | ---- | C] () -- C:\windows\System32\systemsf.ebd
    [2011/12/19 07:40:09 | 000,010,429 | ---- | C] () -- C:\windows\System32\ScavengeSpace.xml
    [2011/12/19 07:39:46 | 000,105,559 | ---- | C] () -- C:\windows\System32\RacRules.xml
    [2011/12/15 11:02:07 | 000,072,822 | ---- | C] () -- C:\windows\System32\ieuinit.inf
    [2011/12/10 17:11:15 | 000,000,013 | RHS- | C] () -- C:\windows\System32\drivers\fbd.sys
    [2011/12/06 20:15:45 | 000,451,072 | ---- | C] () -- C:\windows\System32\ISSRemoveSP.exe
    [2011/12/06 20:12:58 | 000,000,852 | ---- | C] () -- C:\windows\System32\drivers\RTKHDRC1.dat
    [2011/12/06 20:12:58 | 000,000,852 | ---- | C] () -- C:\windows\System32\drivers\RTKHDRC0.dat
    [2011/12/06 20:12:58 | 000,000,712 | ---- | C] () -- C:\windows\System32\drivers\RTEQEX1.dat
    [2011/12/06 20:12:58 | 000,000,712 | ---- | C] () -- C:\windows\System32\drivers\RTEQEX0.dat
    [2011/12/06 20:08:05 | 000,045,056 | ---- | C] () -- C:\windows\System32\HWS_Ctrl.dll
    [2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
    [2010/03/03 23:36:32 | 000,028,672 | ---- | C] () -- C:\windows\System32\SPCtl.dll
    [2009/07/13 21:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
    [2009/07/13 21:33:53 | 000,290,664 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
    [2009/07/13 19:05:48 | 000,626,722 | ---- | C] () -- C:\windows\System32\perfh009.dat
    [2009/07/13 19:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
    [2009/07/13 19:05:48 | 000,107,708 | ---- | C] () -- C:\windows\System32\perfc009.dat
    [2009/07/13 19:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
    [2009/07/13 19:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
    [2009/07/13 19:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
    [2009/07/13 16:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
    [2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
    [2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
    [2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\windows\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2012/01/12 22:29:47 | 000,000,000 | ---D | M] -- C:\Users\Evan\AppData\Roaming\SoftGrid Client
    [2011/12/15 10:45:25 | 000,000,000 | ---D | M] -- C:\Users\Evan\AppData\Roaming\Tific
    [2012/01/11 14:17:35 | 000,000,000 | ---D | M] -- C:\Users\Evan\AppData\Roaming\Toshiba
    [2011/12/17 17:15:58 | 000,000,000 | ---D | M] -- C:\Users\Evan\AppData\Roaming\TP
    [2011/12/10 17:52:11 | 000,000,000 | ---D | M] -- C:\Users\Evan\AppData\Roaming\WeatherBug
    [2009/07/13 21:53:46 | 000,009,454 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU(65).TXT
    [2012/01/12 22:31:19 | 000,014,086 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/07/13 18:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
    [2010/11/05 09:47:18 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
    [2012/01/13 10:23:19 | 000,016,711 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 14:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2012/01/12 22:54:40 | 796,987,392 | -HS- | M] () -- C:\hiberfil.sys
    [2012/01/12 22:54:44 | 1073,741,824 | -HS- | M] () -- C:\pagefile.sys
    [2012/01/11 18:52:46 | 000,000,389 | ---- | M] () -- C:\rkill.log
    [2012/01/11 09:53:02 | 000,152,896 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_11.01.2012_09.50.48_log.txt
    [2012/01/11 14:27:42 | 000,075,270 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_11.01.2012_14.26.15_log.txt
    [2012/01/11 16:47:08 | 000,076,974 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_11.01.2012_16.46.27_log.txt
    [2012/01/11 18:46:53 | 000,076,044 | ---- | M] () -- C:\TDSSKiller.2.7.0.0_11.01.2012_18.46.01_log.txt

    < %systemroot%\Fonts\*.com >
    [2009/07/13 21:52:25 | 000,026,040 | ---- | M] () -- C:\windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 21:52:25 | 000,026,489 | ---- | M] () -- C:\windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 21:52:25 | 000,029,779 | ---- | M] () -- C:\windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 21:52:25 | 000,043,318 | ---- | M] () -- C:\windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 14:31:19 | 000,000,065 | ---- | M] () -- C:\windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    [2010/11/20 05:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\windows\system32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2010/09/23 00:32:56 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\windows\WLXPGSS.SCR
    [1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/13 21:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/12/15 11:09:03 | 000,000,221 | -HS- | M] () -- C:\Users\Evan\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/01/12 18:39:25 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\Evan\Desktop\aswMBR.exe
    [2012/01/13 09:49:31 | 004,382,027 | R--- | M] (Swearware) -- C:\Users\Evan\Desktop\ComboFix.exe
    [2012/01/13 10:40:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Evan\Desktop\OTL.exe
    [2012/01/12 22:07:08 | 001,008,141 | ---- | M] () -- C:\Users\Evan\Desktop\rkill (2).exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 14:20:04 | 000,000,802 | ---- | M] () -- C:\windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2011/12/29 20:55:23 | 000,008,192 | ---- | M] () -- C:\windows\SECURITY\Database\edb.chk
    [2011/12/29 20:55:23 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edb.log
    [2011/12/29 20:55:23 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edbres00001.jrs
    [2011/12/29 20:55:23 | 001,048,576 | ---- | M] () -- C:\windows\SECURITY\Database\edbres00002.jrs
    [2011/12/29 20:55:23 | 000,786,432 | ---- | M] () -- C:\windows\SECURITY\Database\edbtmp.log
    [2011/12/29 20:55:23 | 001,056,768 | ---- | M] () -- C:\windows\SECURITY\Database\tmp.edb

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/12/29 20:58:34 | 000,000,402 | -HS- | M] () -- C:\Users\Evan\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/01/09 21:44:13 | 000,012,358 | -HS- | M] () -- C:\ProgramData\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2

    < End of report >

    ----------------------------------------
  15. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    OTL Extras log file:
    OTL Extras logfile created on: 1/13/2012 10:46:46 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Evan\Desktop
    Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1013.42 Mb Total Physical Memory | 436.32 Mb Available Physical Memory | 43.05% Memory free
    1.99 Gb Paging File | 1.01 Gb Available in Paging File | 50.56% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
    Drive C: | 223.23 Gb Total Space | 193.26 Gb Free Space | 86.57% Space Free | Partition Type: NTFS

    Computer Name: NETBOOK | User Name: Evan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-3793523996-3693569771-4273842782-1000\SOFTWARE\Classes\<extension>]
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
    "{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
    "{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
    "{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
    "{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
    "{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v1.5.2.3456
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
    "{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
    "{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}" = WeatherBug
    "{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
    "{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
    "{39187A4B-7538-4BE7-8BAD-9E83303793AA}" = Toshiba Book Place
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
    "{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
    "{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
    "{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
    "{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
    "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
    "{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = ToshibaRegistration
    "{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
    "{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
    "{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
    "{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
    "{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
    "{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
    "{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
    "{8CD0B97D-46E9-4293-B467-A24DB96DB6DB}" = TOSHIBA ReelTime
    "{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
    "{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
    "{90140000-006D-0409-0000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
    "{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
    "{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
    "{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
    "{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = TOSHIBA Application and Driver Installer
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9D3D8C60-A55F-4fed-B2B9-173001290E16}" = Realtek WLAN Driver
    "{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
    "{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
    "{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
    "{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
    "{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
    "{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
    "{B2FB7DBA-CEEC-41F1-BC23-3323D96290F6}" = TOSHIBA Bulletin Board
    "{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
    "{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}" = TOSHIBA Assist
    "{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Toshiba Online Backup
    "{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
    "{C7A4F26F-F9B0-41B2-8659-99181108CDE3}" = TOSHIBA Media Controller
    "{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
    "{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
    "{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
    "{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
    "{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
    "{DA84ECBF-4B79-47F2-B34C-95C38484C058}" = Skype Launcher
    "{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
    "{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
    "{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
    "{E69992ED-A7F6-406C-9280-1C156417BC49}" = TOSHIBA Quality Application
    "{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
    "{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}" = Toshiba App Place
    "{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
    "{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "CCleaner" = CCleaner
    "Google Chrome" = Google Chrome
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallShield_{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
    "InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}" = TOSHIBA Supervisor Password
    "InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}" = TOSHIBA Hardware Setup
    "InstallShield_{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
    "InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}" = TOSHIBA Flash Cards Support Utility
    "InstallShield_{8CD0B97D-46E9-4293-B467-A24DB96DB6DB}" = TOSHIBA ReelTime
    "InstallShield_{B2FB7DBA-CEEC-41F1-BC23-3323D96290F6}" = TOSHIBA Bulletin Board
    "InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
    "InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Security Client" = Microsoft Security Essentials
    "NortonPCCheckup" = Toshiba Laptop Checkup
    "Office14.Click2Run" = Microsoft Office Click-to-Run 2010
    "Spyware Doctor" = Spyware Doctor 8.0
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "TOSHIBA Game Console" = WildTangent ORB Game Console
    "VLC media player" = VLC media player 1.1.11
    "WildTangent toshiba Master Uninstall" = WildTangent Games
    "WinLiveSuite" = Windows Live Essentials
    "WT088682" = Bejeweled 2 Deluxe
    "WT088696" = Chuzzle Deluxe
    "WT088750" = Jewel Quest - Heritage
    "WT088759" = Polar Bowler
    "WT089368" = FATE - The Traitor Soul
    "WT089379" = Mystery P.I. - The London Caper
    "WT089381" = Slingo Supreme
    "WT089386" = Governor of Poker 2 Premium Edition
    "WT089395" = Plants vs. Zombies - Game of the Year

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/10/2012 5:00:22 PM | Computer Name = Netbook | Source = CVHSVC | ID = 100
    Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
    DownloadLatest Failed: There are currently no active network connections. Background
    Intelligent Transfer Service (BITS) will try again when an adapter is connected.


    Error - 1/11/2012 1:09:05 PM | Computer Name = Netbook | Source = Toshiba App Place | ID = 0
    Description =

    Error - 1/11/2012 2:05:38 PM | Computer Name = Netbook | Source = Application Error | ID = 1000
    Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc100 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
    stamp: 0x4ce7b96e Exception code: 0xc0000374 Fault offset: 0x000c37b7 Faulting process
    id: 0x444 Faulting application start time: 0x01ccd082a92ff8a0 Faulting application
    path: C:\windows\system32\svchost.exe Faulting module path: C:\windows\SYSTEM32\ntdll.dll
    Report
    Id: dd7a19e9-3c7e-11e1-90bc-1c75087222f2

    Error - 1/11/2012 2:05:55 PM | Computer Name = Netbook | Source = Application Error | ID = 1000
    Description = Faulting application name: wermgr.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc2d7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time
    stamp: 0x4ce7b96e Exception code: 0xc000000d Fault offset: 0x00097667 Faulting process
    id: 0x1728 Faulting application start time: 0x01ccd08ba754caf8 Faulting application
    path: C:\windows\system32\wermgr.exe Faulting module path: C:\windows\SYSTEM32\ntdll.dll
    Report
    Id: e7b963c2-3c7e-11e1-90bc-1c75087222f2

    Error - 1/11/2012 2:17:13 PM | Computer Name = Netbook | Source = Application Error | ID = 1000
    Description = Faulting application name: pctsSvc.exe, version: 7.0.0.147, time stamp:
    0x4ce59256 Faulting module name: rtl100.bpl, version: 11.0.2902.10471, time stamp:
    0x475fc385 Exception code: 0xc0000005 Fault offset: 0x0000ebe5 Faulting process id:
    0x1744 Faulting application start time: 0x01ccd08b191229bc Faulting application path:
    C:\Program Files\PC Tools Security\pctsSvc.exe Faulting module path: C:\Program
    Files\PC Tools Security\rtl100.bpl Report Id: 7bd3ac54-3c80-11e1-90bc-1c75087222f2

    Error - 1/11/2012 2:37:40 PM | Computer Name = Netbook | Source = Toshiba App Place | ID = 0
    Description =

    Error - 1/11/2012 5:12:22 PM | Computer Name = Netbook | Source = System Restore | ID = 8210
    Description =

    Error - 1/11/2012 5:18:13 PM | Computer Name = Netbook | Source = Application Hang | ID = 1002
    Description = The program PCDiag.exe version 1.0.0.1 stopped interacting with Windows
    and was closed. To see if more information about the problem is available, check
    the problem history in the Action Center control panel. Process ID: 738 Start Time:
    01ccd0a66f4a3747 Termination Time: 32 Application Path: C:\Program Files\TOSHIBA\PCDiag\PCDiag.exe

    Report
    Id: bae6f0e3-3c99-11e1-aa17-1c75087222f2

    Error - 1/11/2012 5:23:56 PM | Computer Name = Netbook | Source = Microsoft Security Client | ID = 1001
    Description = Microsoft Security Client failed to apply security policy: "c:\Program
    Files\Microsoft Security Client\CleanUpPolicy.xml". Error: Failed to load policy
    XML. Verify the file exists and is a valid XML file. Error Code: 0xC00CE22

    Error - 1/11/2012 8:58:17 PM | Computer Name = Netbook | Source = Toshiba App Place | ID = 0
    Description =

    [ System Events ]
    Error - 1/10/2012 2:12:11 PM | Computer Name = Netbook | Source = Microsoft Antimalware | ID = 3002
    Description = %%860 Real-Time Protection feature has encountered an error and failed.

    Feature:
    %%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

    Error - 1/10/2012 2:12:34 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 2:12:36 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 2:12:36 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 5:00:21 PM | Computer Name = Netbook | Source = Microsoft-Windows-DNS-Client | ID = 1012
    Description = There was an error while attempting to read the local hosts file.

    Error - 1/10/2012 5:00:22 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 5:00:22 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 5:00:22 PM | Computer Name = Netbook | Source = Microsoft-Windows-DNS-Client | ID = 1012
    Description = There was an error while attempting to read the local hosts file.

    Error - 1/10/2012 5:00:24 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =

    Error - 1/10/2012 5:00:25 PM | Computer Name = Netbook | Source = RTL8192Ce | ID = 0
    Description =


    < End of report >
  16. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    You need more RAM:
    Windows 7 will run much better with at least 2GB of RAM installed.

    ===========================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      [2012/01/09 21:44:13 | 000,012,358 | -HS- | M] () -- C:\Users\Evan\AppData\Local\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
      [2012/01/09 21:44:13 | 000,012,358 | -HS- | M] () -- C:\ProgramData\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw
      @Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ============================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  17. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    OTL Run Fix log is below. I will continue running the processes from your last post now.
    All processes killed
    ========== OTL ==========
    C:\Users\Evan\AppData\Local\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw moved successfully.
    C:\ProgramData\48fud25iil0773oqobc47vhemu8cl47nlr8e32y5g07vaw moved successfully.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Evan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 376966 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 69003613 bytes
    ->Flash cache emptied: 650 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4992 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 66.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Evan
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Evan
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 01132012_130338

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  18. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I updated Java to the latest version, then ran Javara. Javara apparently didn't find any older versions because it did not create a log file. Or should I say, it brought up a blank log file at the end of it's very quick run.

    QUESTION: I use Google Chrome 90% of the time but do also use IE as my browser 10% of the time. Everything I've done per your instructions I have done using Chrome. Does that matter? For example, I used Chrome to update Java. Would I need to separately do so using IE? I wouldn't think so but wanted to ask.
  19. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Security Check log file below. Remaining scans to follow.
    Results of screen317's Security Check version 0.99.24
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Microsoft Security Essentials
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Spyware Doctor 8.0
    CCleaner
    Java(TM) 6 Update 30
    Adobe Flash Player ( 10.1.82.76) Flash Player Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    Microsoft Security Client Antimalware NisSrv.exe
    Microsoft Security Client Antimalware MpCmdRun.exe
    ``````````End of Log````````````
  20. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    No.
  21. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Farbar Service Scan results:
    Farbar Service Scanner
    Ran by Evan (administrator) on 13-01-2012 at 13:35:10
    Microsoft Windows 7 Starter Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========

    File Check:
    ========
    C:\windows\system32\nsisvc.dll => MD5 is legit
    C:\windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\windows\system32\dhcpcore.dll => MD5 is legit
    C:\windows\system32\Drivers\afd.sys => MD5 is legit
    C:\windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\windows\system32\dnsrslvr.dll => MD5 is legit
    C:\windows\system32\mpssvc.dll => MD5 is legit
    C:\windows\system32\bfe.dll => MD5 is legit
    C:\windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\windows\system32\SDRSVC.dll => MD5 is legit
    C:\windows\system32\vssvc.exe => MD5 is legit
    C:\windows\system32\wscsvc.dll => MD5 is legit
    C:\windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\windows\system32\wuaueng.dll => MD5 is legit
    C:\windows\system32\qmgr.dll => MD5 is legit
    C:\windows\system32\es.dll => MD5 is legit
    C:\windows\system32\cryptsvc.dll => MD5 is legit
    C:\windows\system32\svchost.exe => MD5 is legit
    C:\windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  22. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    Final scan - Eset - No threats found.

    Please advise. Thank you.
  23. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    =========================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
  24. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I downloaded the Adobe 32-bit direct download from the link you provided. Hope that was the right choice. I then ran OTL with the custom scan you gave me. Log file is below. I will now continue with your instructions.

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Evan
    ->Temp folder emptied: 3149 bytes
    ->Temporary Internet Files folder emptied: 213126 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 13575337 bytes
    ->Flash cache emptied: 470 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7554 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 13.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Evan
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Evan
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.31.0 log created on 01132012_220741

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  25. hammacher

    hammacher Newcomer, in training Topic Starter Posts: 19

    I have completed all the instructions. Thank you so much for your detailed instructions, your prompt follow up, and your complete responses. My CPU usage is now back to normal, ranging between 1% and 5% when the computer is idle. I will monitor the cooling fan and CPU usage over the next day or two and report back here to follow up.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.