Solved After System Check clean-up - cannot find 6924636.exe

[SBV]

I somehow managed to get the System Clean virus on my computer a few days ago (Damn them!). I think I've managed to clean it and get it off - except I now get a pop-up window when I turn my computer on which says 'Windows Cannot Find 6924636.exe' (it also brings a box which has _uninst_23372510 at the top. When I click 'ok' they both go.

Obviously it's annoying and I want to get rid of it - and make sure it's not part of the virus left on. I've done virus scans and nothing else is coming up. I got all the other System Check bits off. I tried googling for 'the 'Windows Cannot Find .exe' and found lots of other topics for when a program had changed all the .exe's. I then followed one advice and downloaded Panda's antivirus - it then changed ALL my .exe files so none would open. I managed to then find a fix and got the .exe's back working - but still this 6924636.exe pop-up window shows when I start the computer. The numbers make me think it's something to do with the virus. I have tried searching for it but it doesn't come up anywhere. So how do I stop this from appearing?

 

[Bobbye]

And you want to find this file 6924636.exe- why? You're assuming it's a legitimate file that's missing, correct? Not necessarily true.

It means that something is on Startup that is trying to get you to download this file. It does NOT mean you need the file or that it's a legitimate file. Whatever it is is tempting you to do look for this .exe file and get it. So- what if it's malware? What if this file will infect more of your system?

One thing you do not do is go looking for random fixes. Nor should you check OK to _uninst_23372510 when you don't know what it's doing.
====================================
For the record, this thread is the only site that comes up when I look for either 6964636.exe or _uninst_23372510. That's pretty much a giveaway that it's malware related. So we need to find the malware.
================================
Since I didn't assist you in removing what may have been System Check, I will make 2 suggestions:
First: Click on Start> Run Type in msconfig> Enter> Start up tab> Do you see any entry on the left that matches 6924636.exe? Do you see any entry that you don't recognize? If the latter, expand the Command section by holding left mouse down on line on frame between Command and Location and move to the right.

If you see anything you can't identify, make it down somewhere and do an online search to ID it. DON'T download it just because you see it advertised from a site. That one of the ways malware gets on a system.

Second: Run these scans here so I can see what's on the system:
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
=================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[SBV]

Thank you for the quick reply.

I never said I wanted to find it (and definitely not run it) - I just said I wanted to get rid of it!

I know it may be part of the virus - this is why I want to get rid of it.

Thanks for the suggestions. I have gone to Start > Run > Misconfig >

On the startup list, it does show _uninst_23372510

The command says it's coming from \AppData\Local\Temp\_UNINS~1.BAT

Should I just go into AppData and delete that? What should I do? (I'm a bit crap when it comes to computer related problems)

Where do we find the logs that we have to post?

 

[SBV]

There also appears to be gfUomFNvRQL.exe in the startup - which I also assume is part of the virus. How come when I run Malwarebytes it says there's no malware showing? It deleted a few items last week when I first found it.

System Check doesn't start up or anything.

 

[Bobbye]

Where do we find the logs that we have to post?

Second: Run these scans here so I can see what's on the system:
Please follow these steps: Preliminary Virus and Malware Removal.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

You run the scan in the blue link. Each scan produces a log (DDS has 2 logs) You them past those logs into your next reply.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

Leave the entry you found on Startup. We still don't know what it's for.

Regarding this:

(I'm a bit crap when it comes to computer related problems)

Pay good attention- I will help you learn more!

 

[SBV]

Thanks. I uninstalled AVG and got rid of the Panda Cleaner and downloaded Microsoft Security Essentials and did the Quick Scan. Here are the logs:

Malwarebytes:

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421

22/01/2012 7:53:09 pm
mbam-log-2012-01-22 (19-53-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 238099
Time elapsed: 55 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



GMER LOG:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-22 21:02:46
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: g0lo314p.exe; Driver: C:\Users\SHARIB~1\AppData\Local\Temp\kfddypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS TXT LOG:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by ShariBlackVelvet at 21:06:42 on 2012-01-22
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1511 [GMT 0:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\AOL\1287764634\ee\aolsoftware.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\Common Files\AOL\1287764634\ee\aolsoftware.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\ShariBlackVelvet\Desktop\g0lo314p.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Toshiba TEMPO] c:\program files\toshiba tempro\Toshiba.Tempo.UI.TrayApplication.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [Skytel] Skytel.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [HostManager] c:\program files\common files\aol\1287764634\ee\AOLSoftware.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Plugin Install] c:\program files\quicktime\plugins\DeleteMe1.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Google EULA Launcher] c:\program files\google\google eula\GoogleEULALauncher.exe IE PA
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\aoldes~1.lnk - c:\program files\common files\aol\1287764634\ee\aolsoftware.exe
StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A} : NameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\shariblackvelvet\appdata\roaming\mozilla\firefox\profiles\x97wkle1.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\shariblackvelvet\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\shariblackvelvet\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-2 64512]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-6-9 20352]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl6299086f;MpKsl6299086f;c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\MpKsl6299086f.sys [2012-1-22 29904]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2009-4-21 116104]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-1 7168]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-6-9 937984]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-22 19:40:56 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\offreg.dll
2012-01-22 19:40:56 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\MpKsl6299086f.sys
2012-01-22 19:32:17 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1545967a-82c4-4793-b821-b094890f36e0}\gapaengine.dll
2012-01-22 19:31:54 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ea69181b-1a19-49b7-9528-240626abad44}\mpengine.dll
2012-01-22 19:21:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-22 19:20:12 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-01-22 15:47:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{53D74D6C-88CC-46DA-9546-3BEF15BF963C}
2012-01-22 15:47:08 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3F53012E-F14F-4B8C-9155-03402D752C1B}
2012-01-21 22:32:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C2C8570B-1184-4B85-A9C7-BDC58ACB08E3}
2012-01-21 22:32:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9FA5FB70-B5EE-4867-99A9-6B829532A02D}
2012-01-21 22:32:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{36E5AA70-6740-404B-B169-02C7D43DDABB}
2012-01-21 22:32:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7827AF63-D31B-47B2-83FA-6E692D53DAF7}
2012-01-21 10:31:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C72025E9-D6F9-4503-870F-31712928B1D9}
2012-01-21 10:31:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{01E2A91E-B125-4B5E-9828-DF06AC94F7BC}
2012-01-20 15:49:14 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3821DA62-CCC7-4238-9EDF-1A411124955F}
2012-01-20 15:49:04 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{584B6187-904D-47B9-B9FF-4A53D382F895}
2012-01-19 20:24:23 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5E36AF94-1174-42BE-B4A5-2EE6003DAB40}
2012-01-19 20:24:13 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{38A0CD74-9C00-4EA3-BCDD-D1F43FEE918E}
2012-01-19 20:24:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9FD28A24-3CAB-4A93-A980-28660C32B038}
2012-01-19 20:23:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{58DC4FF8-696F-4110-801C-8C6FDF78B176}
2012-01-19 17:49:41 -------- d-----w- c:\program files\Panda Security
2012-01-19 08:23:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B018732F-DDFF-4C9B-A1C0-2B416C761E15}
2012-01-19 08:23:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E32EFEC9-D0ED-402B-BC84-70594B9C3B8E}
2012-01-19 08:22:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3906C031-DDC7-450C-A5B2-66B70D259DA9}
2012-01-19 08:22:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B68F3ABE-995E-42F3-A483-FBA91326942F}
2012-01-18 20:22:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{324F9DF9-7B6A-4652-9283-1BE583D9466A}
2012-01-18 20:22:11 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{87AAC18E-7B3C-49B5-A354-6084BCA6137F}
2012-01-18 19:52:42 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{28d0e58b-d0bf-447b-bf43-22d064460452}\mpengine.dll
2012-01-18 16:57:37 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 16:57:36 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 16:57:35 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-18 16:57:35 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 16:57:35 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 16:57:35 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 08:18:54 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{737A210E-1AEE-4A98-A6E6-FAC688F5F70B}
2012-01-18 08:18:44 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{91EC7AFA-6396-4384-8FF7-515AC6FFD803}
2012-01-18 08:18:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B5C3E514-1E2D-4409-8092-0980EC5C6F6E}
2012-01-18 08:18:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9900F514-B827-4C60-881F-E5A6F870AE0F}
2012-01-17 20:17:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{30E415F8-B024-4CD7-AB3C-C0C2638DD221}
2012-01-17 20:17:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{26E07204-AB28-4F0C-97FD-6397DD7FAAAC}
2012-01-17 19:13:23 -------- d-----w- c:\programdata\Kaspersky Lab
2012-01-17 07:50:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A9CC87D8-1286-4520-AA9A-2ED7E69C323A}
2012-01-17 07:50:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4980347A-CBD9-4459-B05C-A736F59E5C54}
2012-01-17 07:49:58 -------- d-----w- c:\users\shariblackvelvet\appdata\local\dbMobileInit
2012-01-16 15:20:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FB9B9C1D-39C5-4384-9346-7940E75E853B}
2012-01-16 15:20:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E63320BC-A614-417E-8ADA-4D5EE70B14C3}
2012-01-16 15:20:07 -------- d-----w- c:\users\shariblackvelvet\appdata\local\QuickGL.NET
2012-01-16 07:47:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\AppleHelp64
2012-01-16 03:00:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A6C3816F-812A-4CD3-A700-8756BEAA473B}
2012-01-16 03:00:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{CED94EBA-94DF-40F5-8F12-A7B3BAFEC13E}
2012-01-15 14:59:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0740BBF3-0946-4BDC-84BB-562B11766367}
2012-01-15 14:57:47 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{99F5A107-EC88-49C4-88F2-0DBDA9387FFF}
2012-01-15 14:57:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{2B7F77EA-7E7C-4143-AC7C-9A635CD5D277}
2012-01-15 14:57:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{51822A4F-C133-4AA8-A940-3FACAFE742C6}
2012-01-14 22:08:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7ACE9507-8C77-4BC3-9FEE-8BF42788EEFF}
2012-01-14 22:08:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1E748363-558E-4EA7-B808-5E0E18DC3D46}
2012-01-14 22:08:21 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FFD44CAB-6BA3-478F-A7D2-50469260F313}
2012-01-14 22:08:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1A072029-0B6D-4543-BAD3-3680D27E0123}
2012-01-14 10:07:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{36D74619-9610-4186-8818-CF237F6AAB7E}
2012-01-14 10:07:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3B7CEEE8-0E31-4E1A-964D-2A2A352F10DA}
2012-01-13 15:50:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E65C8C9-77D8-4407-B7B8-4B197A11E0B1}
2012-01-13 15:50:05 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4EA451CE-ACF5-4E5D-B21E-78B1F2621476}
2012-01-12 19:54:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BFE4D8E3-CB17-453F-A8C8-DB38B5F0CD40}
2012-01-12 19:54:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C8A813C2-D8B3-4623-AEC2-66896B345357}
2012-01-12 19:54:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5E90CD99-CAFE-4FF9-9101-6D6F8841D3EF}
2012-01-12 19:54:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D2A73B7B-2D52-4807-99A0-24D057C4829D}
2012-01-12 07:53:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{67053AFF-9CB0-4758-A484-F6720F558D01}
2012-01-12 07:53:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1F1DF292-7BE2-4DC7-9EC0-3E7322833111}
2012-01-12 07:53:14 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A915025E-E84A-4599-B5D3-A94856461750}
2012-01-12 07:53:00 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7BEE6133-02B6-4E50-A85C-C6DB50636036}
2012-01-11 19:52:29 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5FE07F5A-6156-451A-A647-69222796D352}
2012-01-11 19:52:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{767C58FC-6FD8-4C4C-A4AA-EC1CC19CC001}
2012-01-11 19:52:06 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7F509DF4-28D1-461D-AEFD-3D83130B5C10}
2012-01-11 19:51:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7516BB9B-4258-4E1E-8792-F433E60D68DC}
2012-01-11 19:13:38 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 19:13:38 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 19:13:35 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 19:13:33 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 19:13:32 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 19:13:31 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-11 19:13:18 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 19:13:18 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 07:51:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4E4321B9-7A95-4E0A-925F-05E2AED2511D}
2012-01-11 07:51:15 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{71CB32F4-CED7-43FA-9101-24752F76568A}
2012-01-10 19:50:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1B9D4E05-DB7A-4295-822C-1B8B63B1C783}
2012-01-10 19:50:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6FD86E27-A448-4EDF-A012-7C8138FE4B3F}
2012-01-10 19:50:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{CC475545-867F-431A-A035-692A53507C46}
2012-01-10 19:50:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{25184834-8194-4DAE-A124-4AEA70A2B47C}
2012-01-10 07:49:55 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0F25ABCE-6C49-48A6-AF0E-3F3A7DBD339D}
2012-01-10 07:49:45 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7049BF41-516C-4941-9DBE-B90850FA42C3}
2012-01-09 19:48:43 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D439DBB2-36D2-4B1B-B35A-7837FFDB4D47}
2012-01-09 19:48:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{43F8282E-8CCF-4E09-B29E-A455EAF7DCFD}
2012-01-09 07:47:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FD71D796-961F-4CFC-B264-A69C6602F1BA}
2012-01-09 07:47:42 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{43892745-C074-40F8-99BB-32486F204EEB}
2012-01-08 15:49:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6E4A398E-E033-4278-86B5-04020306EAD0}
2012-01-08 15:49:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D9F2964-4297-4337-8A15-168384FD37A6}
2012-01-07 17:24:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3B093EE1-6B83-4FD0-858E-514066B144CF}
2012-01-07 17:24:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C15D5155-A7B0-4409-8979-6C9B7E03CD6B}
2012-01-07 17:24:15 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BC859FCF-5705-4495-BDC1-8933A6807D20}
2012-01-07 17:24:03 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{8EF038F4-4BF2-4EE3-B240-3F58ABA9ABFD}
2012-01-07 16:32:57 774144 ----a-w- c:\windows\system32\htmlayout.dll
2012-01-07 16:32:57 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
2012-01-07 16:32:57 1003008 ----a-w- c:\windows\system32\libeay32.dll
2012-01-07 05:23:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{8F95A61C-43E8-487A-8BB3-81C2AA2A0E79}
2012-01-07 05:22:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{34032A14-99FB-4FEB-A221-88F93EBD71E1}
2012-01-07 05:22:33 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D06BC12B-3D32-4E31-B400-AC4C755413D0}
2012-01-07 05:22:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BBD4D5A5-B563-474D-8163-3DE4B932EC13}
2012-01-07 04:56:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B4CC4388-5C0F-4F2F-A58B-2DCE042808C4}
2012-01-07 04:38:35 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{82FB21FA-63F5-4B77-A721-7EAA4A439F8A}
2012-01-07 04:33:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{77FCB351-C23D-4630-8B8B-BE2F2CA809F9}
2012-01-07 04:25:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B3D785CB-AF0F-42AC-80F5-375B837194EF}
2012-01-07 03:54:01 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9B44C6D0-D81C-46FB-B521-81D5FB6647EC}
2012-01-07 03:14:59 -------- d-----w- c:\program files\DriverTuner
2012-01-07 02:45:36 -------- d-----w- c:\program files\WinZip(156)
2012-01-06 15:53:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D85C2C5F-48CC-4B53-8505-7E8B31112EB1}
2012-01-06 15:53:21 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E3F2264-B200-478F-A0EF-08A5FE6CF65E}
2012-01-05 19:53:39 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3E84F77A-783E-4963-BCA9-571AABF32CFD}
2012-01-05 19:53:30 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7BD64C57-731E-455C-B393-4E4E8B12AF5A}
2012-01-05 19:53:20 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F824848C-EA94-4E83-9363-130B4215C93A}
2012-01-05 19:53:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3DC01E2F-34F0-4914-8682-11F2D9AB0FA0}
2012-01-05 07:52:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DFDD7D63-797A-4552-B036-32BF654AD273}
2012-01-05 07:52:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FF110B2B-E48A-457D-8378-5445FF8B6AA5}
2012-01-05 07:52:26 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9B4B18E4-989B-4C45-90DA-DF427277EDF5}
2012-01-05 07:52:16 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{7692FD85-EEB8-4E85-BB2A-99F18AFBE675}
2012-01-04 19:51:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4DAD05D3-0CD8-4631-92C4-BB8A064882A5}
2012-01-04 19:51:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{D82AB3D3-70C5-467D-B6F7-EBB9DE333C54}
2012-01-04 19:51:30 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{66FC5418-1594-4390-8825-9C88796CE13E}
2012-01-04 19:51:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0E897A90-20A0-4855-8AD4-022A8C3787A6}
2012-01-04 07:50:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{241B0EAC-7B5D-4E63-8012-0FE02AD339D5}
2012-01-04 07:50:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{433C3B9A-818E-4B24-8F07-F6B03C362F79}
2012-01-03 16:16:10 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1FB91562-F9D9-41B0-BBE9-8F92372AEAF0}
2012-01-03 16:16:00 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{491B70E5-9AFF-4374-9E50-4FF5B7176604}
2012-01-03 16:15:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DA62B758-B506-4DA2-AF34-0F320421629C}
2012-01-03 16:15:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{645DA7FB-2056-4997-AF70-705CE5076320}
2012-01-03 04:14:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{64C88A22-341F-4622-B64A-DEC85B7294BC}
2012-01-03 04:14:23 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3FA331D0-99AB-4B30-8082-93ECC5E744DD}
2012-01-03 04:14:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9F4C599D-A355-41B2-BBC5-75101EE2F3D1}
2012-01-03 04:13:48 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E239FCAE-29E4-4DFD-A778-13DD616AD23D}
2012-01-02 15:50:07 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FEF72B63-2AF8-4821-8034-963EEA15CDAD}
2012-01-02 15:49:57 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F470585E-BDCA-412C-B844-C5EA40D0FE9F}
2012-01-02 03:48:44 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F1BC9253-D74E-48DA-B8F0-9922ACD5B32A}
2012-01-02 03:48:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{83782D6F-E6E4-48EA-81DB-693F42EBEDE9}
2012-01-01 15:48:19 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B2B303F7-E077-4BFE-AED4-30FF4A011F98}
2012-01-01 15:48:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{5213736C-8259-44E1-AC66-5E45308B03A1}
2011-12-31 15:49:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D48FDBC-F362-4EA1-B9F8-97EBCF369F64}
2011-12-31 15:48:52 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6B3D82E9-10CD-41FD-866C-0958E4F52B3F}
2011-12-30 21:01:06 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BD81F659-B3B5-4632-8FED-0B055C825082}
2011-12-30 21:00:56 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F24F9460-5F29-40A8-B234-B91732B4B79F}
2011-12-30 21:00:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A0FFA13D-4E9F-41B3-95FA-373135106D0C}
2011-12-30 21:00:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{34897425-17F1-4B7F-843D-F9A520D9A5B9}
2011-12-30 09:06:28 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2011-12-30 09:06:28 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2011-12-30 09:06:28 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-30 09:06:28 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2011-12-30 09:00:08 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D5D9E17-F2F3-4499-B0A8-B79E866AE8CC}
2011-12-30 08:59:57 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0CB6AF68-72E3-4C84-84AA-98BDDC69A089}
2011-12-30 08:59:11 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{9CA9E838-81DC-46D6-AE88-E9D4CE44BA03}
2011-12-30 08:58:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{B35C50DF-9186-4F5E-B33B-B15E624E58DC}
2011-12-29 15:50:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4EF2C0AD-C7F8-4272-9E9E-34010DA3CB5B}
2011-12-29 15:50:36 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{2033FB4A-4204-4222-A21A-3FEAA751BA34}
2011-12-29 15:50:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1F1767DC-8620-4D06-8228-24F042C76A50}
2011-12-29 15:50:16 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1D65533E-895A-4097-9FC2-1904B6F87888}
2011-12-29 03:49:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EF9EFC09-E612-484C-9DB2-D0B15CD30AF7}
2011-12-29 03:49:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1A464804-9178-43E1-9E37-866E61B5D7E7}
2011-12-29 03:49:31 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{FB3504F6-0CC7-4CAE-B261-95669DD86B9C}
2011-12-29 03:49:18 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3C2C8A93-0429-4604-8BAD-1E70183DD96B}
2011-12-28 15:49:04 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E4E817CD-9418-4F0B-BB66-520315660075}
2011-12-28 15:48:49 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4BC33885-01E7-43D3-9853-8952EB141713}
2011-12-28 03:48:22 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BAA004AD-F1DC-42AF-A654-C54A584D80F0}
2011-12-28 03:48:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EB065061-98BF-4409-8B1A-0A289235537D}
2011-12-28 03:48:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{755F529A-188E-45EA-BD63-A9E6B41CD7DA}
2011-12-28 03:47:51 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BE1EB036-A0DE-4F86-BB62-9B43E4C60AFF}
2011-12-27 15:47:38 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{14AADC71-E5E5-468D-A3BD-FB951F1B3950}
2011-12-27 15:47:25 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{6B5F150B-289E-4504-9A78-5B2E7456744F}
2011-12-27 03:38:12 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{77787F8E-BECA-4F15-81EB-F2EE051E8D02}
2011-12-27 03:38:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{DE7CC7D1-7D3A-424A-860F-296CD284A281}
2011-12-27 03:37:53 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{F340BA1B-0405-43CE-AB9D-8AACC219F982}
2011-12-27 03:37:41 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{3284E2A4-79F7-4FF0-B5D7-C70B058E6D50}
2011-12-26 15:37:27 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{1FE705F6-B9CF-44DE-AB33-B8B7A1F6E442}
2011-12-26 15:37:17 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{521E1C01-400A-4A0C-9CA6-17BF13531471}
2011-12-26 02:34:56 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EC7E20F2-04CE-421B-990F-01D860909F2F}
2011-12-26 02:34:46 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{70CC13BA-90A6-400F-9468-1B54B0E70E00}
2011-12-26 02:34:37 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{30CC495F-3DE4-4811-B76B-066668135934}
2011-12-26 02:34:24 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{BF4C1009-6504-4441-9651-46088312B5BF}
2011-12-25 14:34:02 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{50F905C5-31D2-4273-9D4F-711DDE86F73D}
2011-12-25 14:33:52 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{080702AE-00D3-4AD6-9D9D-7F1405709299}
2011-12-24 15:53:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A8704FDC-E3EB-457D-BFFD-E4C8CF72B12B}
2011-12-24 15:52:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C61BB952-BF48-4A59-9BC8-1196B993F0B7}
2011-12-24 15:52:47 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{0AB4E894-4BEB-4A74-BED3-D9993121F24E}
2011-12-24 15:52:34 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{A668195D-2DCB-443A-BD17-B833D105F89D}
2011-12-24 03:52:09 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{C297692D-5FA5-46A4-A23A-4F6ABB50B163}
2011-12-24 03:51:59 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{EA856AF0-04BA-4F30-B161-1981B6418CFD}
2011-12-24 03:51:50 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{4CD58ECE-1866-4952-826B-6A23225796E6}
2011-12-24 03:51:40 -------- d-----w- c:\users\shariblackvelvet\appdata\local\{E922DBAC-C2A5-4A08-900D-88C2AE753409}
.
==================== Find3M ====================
.
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 07:53:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 21:07:38.77 ===============

 

[SBV]

ATTACH TXT FILE (Does everyone really need to see all the programs I have?!)

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 09/06/2009 5:54:39 pm
System Uptime: 22/01/2012 7:24:46 pm (2 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 1333/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 57.767 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 148 GiB total, 110.887 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Atheros AR9281 Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_7141144F&REV_01\4&3388DB6&0&00E1
Manufacturer: Atheros Communications Inc.
Name: Atheros AR9281 Wireless Network Adapter
PNP Device ID: PCI\VEN_168C&DEV_002A&SUBSYS_7141144F&REV_01\4&3388DB6&0&00E1
Service: athr
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Ad-Aware
Add or Remove Adobe Creative Suite 3 Master Collection
AHV content for Acrobat and Flash
AOL Mail and AIM Gadget
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
AVS Audio Converter 7
AVS Audio Editor 7.1
AVS Audio Recorder version 4.0
AVS Cover Editor 2.0.1.3
AVS Disc Creator 5
AVS Document Converter 2.1.2
AVS DVD Copy version 4.1.2
AVS Image Converter 2.1.2.169
AVS Media Player 4.1.8.93
AVS Photo Editor
AVS Registry Cleaner version 2.2
AVS Ringtone Maker version 1.6
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Converter 8
AVS Video Editor 6
AVS Video Recorder 2.4
AVS Video ReMaker 4.0.8.140
AVS4YOU Software Navigator 1.4
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
D3DX10
Download Updater (AOL LLC)
Facebook Plug-In
File Uploader
FYZip 1.00
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Deskjet 1050 J410 series Product Improvement Study
HP Photo Creations
HP Update
ImageMixer 3 SE
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Ipswitch WS_FTP Professional 2006
Java Auto Updater
Java(TM) 6 Update 24
Junk Mail filter update
Learn2 Player (Uninstall Only)
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office File Validation Add-In
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Office Visio Standard 2003
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 9.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
ODF Add-in for Microsoft Office
OGA Notifier 2.0.0048.0
PDF Settings
Picasa 3
Play MPE Player 4.0
Presto! BizCard5 SE
QuickTime
RAR File Open Knife - Free Opener
RealPlayer Basic
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Samsung PC Studio 3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Segoe UI
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Skype™ 5.0
Spotify
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA Recovery Disc Creator
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
TRDCReminder
TRORDCLauncher
Uninstall AOL Emergency Connect Utility 1.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
VCRedistSetup
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
Winamp
Winamp Detector Plug-in
Windows 7 Upgrade Advisor
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Player Firefox Plugin
WinZip
Xvid 1.2.1 final uninstall
Zero Assumption Recovery Version 8.4
.
==== Event Viewer Messages From Past Week ========
.
22/01/2012 7:27:04 pm, Error: Service Control Manager [7000] - The TOSHIBA Bluetooth Service service failed to start due to the following error: The system cannot find the file specified.
22/01/2012 7:23:38 pm, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
20/01/2012 3:50:51 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Modules Installer service to connect.
20/01/2012 3:50:51 pm, Error: Service Control Manager [7000] - The Windows Modules Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
20/01/2012 3:50:51 pm, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service TrustedInstaller with arguments "" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
18/01/2012 5:21:16 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Agere Modem Call Progress Audio service to connect.
18/01/2012 5:21:16 pm, Error: Service Control Manager [7000] - The Agere Modem Call Progress Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
17/01/2012 3:45:52 pm, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
17/01/2012 3:44:46 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the FLEXnet Licensing Service service to connect.
17/01/2012 3:44:46 pm, Error: Service Control Manager [7000] - The FLEXnet Licensing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
17/01/2012 3:41:16 pm, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
17/01/2012 3:41:16 pm, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

 

[SBV]

I'm thinking that I really need to get rid of the gfUomFNvRQL.exe file that shows in startup. It says the command is C:\ProgramData\gfUomFNvRQL.exe and is located at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

How do I actually get to that to delete it?

I have just deleted _uninst_23372510.bat and I've clicked to disable gfUomFNvRQL.exe in the startup and just restarted and now the pop-up window doesn't come up. But obviously I think it needs to be gotten rid of properly as it's no doubt part of the virus.

 

[Bobbye]

ATTACH TXT FILE (Does everyone really need to see all the programs I have?!)

I doubt anyone has the time to look at your programs- they have enough of their own! If there is a personal full name in a log, I can delete that.
=========================================
I asked you not to delete the files if you found them on startup- just see if they were there and what they belonged to. The reason you are infected is because all of the infection was not completed.Please do only what I ask.>>"it needs to be gotten rid of properly ." Yes

These will be removed in the proper way:
About the _UNINS~1.BAT:
StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat

About the gfUomFNvRQL.exe
uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
I can remove both files with script after you run Combofix.
===============================
You have about 150-200 of these files: c:\users\shariblackvelvet\appdata\local\xxxx]
Do yu have any idea what they are?
==============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
========================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[SBV]

Here are the logs:

COMBOFIX:

ComboFix 12-01-23.02 - ShariBlackVelvet 23/01/2012 3:57.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1680 [GMT 0:00]
Running from: c:\users\ShariBlackVelvet\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ShariBlackVelvet\Documents\~WRL0005.tmp
c:\users\ShariBlackVelvet\Documents\~WRL1491.tmp
c:\windows\system32\jgaw400.dll
c:\windows\system32\nseA46E.tmp
c:\windows\system32\nszA44E.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-23 04:09 . 2012-01-23 04:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-23 02:02 . 2012-01-23 02:02 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\MpKsl0cde92d6.sys
2012-01-22 19:40 . 2012-01-23 01:34 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\offreg.dll
2012-01-22 19:40 . 2012-01-22 19:40 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\MpKsl6299086f.sys
2012-01-22 19:32 . 2011-10-04 17:22 703824 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1545967A-82C4-4793-B821-B094890F36E0}\gapaengine.dll
2012-01-22 19:31 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EA69181B-1A19-49B7-9528-240626ABAD44}\mpengine.dll
2012-01-22 19:21 . 2012-01-22 19:22 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-22 19:20 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-01-19 17:49 . 2012-01-19 17:49 -------- d-----w- c:\program files\Panda Security
2012-01-18 19:52 . 2011-11-30 02:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28D0E58B-D0BF-447B-BF43-22D064460452}\mpengine.dll
2012-01-18 16:57 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 16:57 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 16:57 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 16:57 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 16:57 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 16:57 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 19:13 . 2012-01-17 19:13 -------- d-----w- c:\programdata\Kaspersky Lab
2012-01-17 07:49 . 2012-01-17 15:19 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\dbMobileInit
2012-01-16 15:20 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\QuickGL.NET
2012-01-16 07:47 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\AppleHelp64
2012-01-11 19:13 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 19:13 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 19:13 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 19:13 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 19:13 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 19:13 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 19:13 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 19:13 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-07 16:32 . 2011-09-16 15:33 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
2012-01-07 16:32 . 2010-05-27 12:32 774144 ----a-w- c:\windows\system32\htmlayout.dll
2012-01-07 16:32 . 2010-05-27 12:32 1003008 ----a-w- c:\windows\system32\libeay32.dll
2012-01-07 03:14 . 2012-01-17 18:54 -------- d-----w- c:\program files\DriverTuner
2012-01-07 02:45 . 2012-01-07 02:45 -------- d-----w- c:\program files\WinZip(156)
2011-12-30 09:06 . 2011-12-30 09:06 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-30 09:06 . 2011-12-30 09:06 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-30 09:06 . 2011-12-30 09:06 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-30 09:06 . 2011-12-30 09:06 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2009-11-12 16:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37 . 2011-12-14 15:41 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 07:53 . 2011-05-14 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42 . 2011-12-14 15:40 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-15 07:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-15 07:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-15 07:59 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-15 07:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01 . 2011-12-14 15:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01 . 2011-12-14 15:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56 . 2011-12-14 15:40 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-30 09:06 . 2011-05-05 22:58 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-06-09 26112]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-04-21 1045904]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"HostManager"="c:\program files\Common Files\AOL\1287764634\ee\AOLSoftware.exe" [2010-02-10 41800]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2011-08-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
_uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2010-5-25 253952]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0CDE92D6
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 11:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A}: NameServer = 192.168.1.1
FF - ProfilePath - c:\users\ShariBlackVelvet\AppData\Roaming\Mozilla\Firefox\Profiles\x97wkle1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
.
------- File Associations -------
.
.reg=REG_SZ
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM-Run-ITSecMng - c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-Toshiba TEMPO - c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-gfUomFNvRQL - c:\programdata\gfUomFNvRQL.exe
AddRemove-HDMI - c:\windows\system32\igxpun.exe
AddRemove-HyperCam 3 - c:\program files\HyperCam 3\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 04:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????]?Y??P?U?x?U???U???U??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-23 04:19:41
ComboFix-quarantined-files.txt 2012-01-23 04:19
.
Pre-Run: 60,850,282,496 bytes free
Post-Run: 65,542,144,000 bytes free
.
- - End Of File - - D3620A77CC2296CB2F2A467E44FC59E2





ESETSCAN:



C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk LNK/URL.B trojan
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk LNK/URL.B trojan
C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe probably a variant of Win32/Sefnit.CD trojan
C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\78e0c967-3cf26355 Java/Agent.X trojan
C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\6527ca69-6646d483 multiple threats
C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\37406235-5a78014a probably a variant of Win32/TrojanDownloader.Agent.JFLSFWP trojan
C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\6113bd39-51cff152 Java/Agent.Y trojan
C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe Win32/DownloadAdmin.A.Gen application



How come Esetscan says all of these are threats when the others don't? I'm sure fyzip for example is not.

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files 
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk 
  C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk 
  C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe 
  C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 \78e0c967-3cf26355 
  C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 \6527ca69-6646d483 
  C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 \37406235-5a78014a 
  C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 \6113bd39-51cff152 
  C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe 
  :Commands
  [purity]
  [emptytemp]
  [clearjavacache]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================

How come Esetscan says all of these are threats when the others don't? I'm sure fyzip for example is not.

My guess is that you downloaded it from a torrent site and got malware with it.
======================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================

 

[SBV]

OTMoveIt log:


All processes killed
Error: Unable to interpret <[emptytemp]> in the current context!
Error: Unable to interpret <[clearjavacache]> in the current context!
Error: Unable to interpret <[start explorer]> in the current context!
Error: Unable to interpret <[Reboot]> in the current context!

OTM by OldTimer - Version 3.1.19.0 log created on 01242012_082200


CKScanner Log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\users\shariblackvelvet\contacts\edd.mccracken@sundayherald.com.contact
c:\users\shariblackvelvet\contacts\nick. cracknell - total guitar (e-mail).contact
c:\users\shariblackvelvet\documents\windows mail vcf address book\edd_mccracken@sundayherald_com.vcf
c:\users\shariblackvelvet\documents\windows mail vcf address book\nick_ cracknell - total guitar (e-mail).vcf
scanner sequence 3.BB.11.OWAPOT
----- EOF -----

 

[Bobbye]

Did you copy the entries in the OTM codebox just like I had them? I've never seen this before.

Please download OTM again, copy the code exactly and follow the rest of the directions.

 

[SBV]

Ok, just tried again:

OTMovit log:

All processes killed
========== PROCESSES ==========
========== FILES ==========
File/Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk not found.
File/Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\RAR File Open Knife - Free Opener\RAR File Open Knife - Free Opener Updates.lnk not found.
File/Folder C:\Users\ShariBlackVelvet\AppData\Local\AppleHelp64\mfcPathdrv.exe not found.
File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39 \78e0c967-3cf26355 not found.
File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41 \6527ca69-6646d483 not found.
File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53 \37406235-5a78014a not found.
File/Folder C:\Users\ShariBlackVelvet\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57 \6113bd39-51cff152 not found.
File/Folder C:\Users\ShariBlackVelvet\Downloads\fyzip-setup.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: ShariBlackVelvet
->Temp folder emptied: 81810 bytes
->Temporary Internet Files folder emptied: 1278525958 bytes
->Java cache emptied: 85043500 bytes
->FireFox cache emptied: 430908259 bytes
->Google Chrome cache emptied: 19003248 bytes
->Flash cache emptied: 7808 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25702 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2384612 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 37563502 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,768.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 01242012_215919

Files moved on Reboot...

Registry entries deleted on Reboot...


CKScanner Log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\users\shariblackvelvet\contacts\edd.mccracken@sundayherald.com.contact
c:\users\shariblackvelvet\contacts\nick. cracknell - total guitar (e-mail).contact
c:\users\shariblackvelvet\documents\windows mail vcf address book\edd_mccracken@sundayherald_com.vcf
c:\users\shariblackvelvet\documents\windows mail vcf address book\nick_ cracknell - total guitar (e-mail).vcf
scanner sequence 3.BB.11.QVLBOE
----- EOF -----

 

[Bobbye]

From OTM: Total Files Cleaned = 1,768.00 mb This is an enormous number of files! Do you do any maintenance on the computer? For instance:
1. Delete temporary internet files and Cookies.
2. Disc Cleanup.
3. Error Check
4. Defrag
All of the above should be done on a regular basis. All of these files will slow the system down. And whenever you have to do any scans- any kind of scan-the scan will take much more time because all of the files have to be scanned.

It appears that there is one one user on this system.

The processes themselves were actually killed the first time you ran the program. Perhaps you didn't include the Commands when you ran OTM the first time.
==================================
Please disable this part of AdAware if you are going to run MSE:
AV: Lavasoft Ad-Watch Live! Anti-Virus

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
Folder::
c:\program files\Panda Security
c:\programdata\Kaspersky Lab
DDS::
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [gfUomFNvRQL.exe] c:\programdata\gfUomFNvRQL.exe
StartupFolder: c:\users\sharib~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\_unins~1.lnk - c:\users\shariblackvelvet\appdata\local\temp\_uninst_23372510.bat
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
RegLock
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
Clearjavacache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
A note: There are what looks to be about 200 appdata entries in the DDS log. I don't know what they are, I cannot ID them. I can only caution you to be sure you're the one in charge of the machine- not the apps!
=============================
Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:

• Click on OK to close box and continue.
• Click on the Show Results button.
• Click on the Remove Selected button to remove all the listed malware.
• At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.

============================
You still had a Trojan entry, so I want to make sure you're clean.

 

[SBV]

I do do disc cleanups and defrags - sometimes it tells me I don't need to.

Not sure what those 200 files are - I've looked and see the ones you mean. they look like folders, when I click on them there's nothing inside. Do you think I can delete them? I wonder if they just came from some Toshiba updates or something.



ComboFx Log:

ComboFix 12-01-23.02 - ShariBlackVelvet 25/01/2012 1:42.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.2939.1762 [GMT 0:00]
Running from: c:\users\ShariBlackVelvet\Desktop\ComboFix.exe
Command switches used :: c:\users\ShariBlackVelvet\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Panda Security
c:\program files\Panda Security\Panda ActiveScan Cleaner\20120119-184112-211e2b84-79c3-4100-9d3b-682967ae338f.pad
c:\program files\Panda Security\Panda ActiveScan Cleaner\211e2b84-79c3-4100-9d3b-682967ae338f.stat
c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fKRN_DATA
c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fPSK_NM
c:\program files\Panda Security\Panda ActiveScan Cleaner\a1856b422ded36132a2f07689ee2563fPSK_NM2
c:\program files\Panda Security\Panda ActiveScan Cleaner\analyze.txt
c:\program files\Panda Security\Panda ActiveScan Cleaner\mylog.txt
c:\program files\Panda Security\Panda ActiveScan Cleaner\Nemesis.LOG
c:\program files\Panda Security\Panda ActiveScan Cleaner\pav.zip
c:\program files\Panda Security\Panda ActiveScan Cleaner\pavcl.log
c:\program files\Panda Security\Panda ActiveScan Cleaner\pavcl.rpt
c:\program files\Panda Security\Panda ActiveScan Cleaner\version.ini
c:\programdata\Kaspersky Lab
c:\programdata\Kaspersky Lab\~PRCustomProps#4dd.dat
c:\programdata\Kaspersky Lab\~PRObjects#4dd.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-12-25 to 2012-01-25 )))))))))))))))))))))))))))))))
.
.
2012-01-25 01:57 . 2012-01-25 01:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-24 22:12 . 2012-01-24 22:12 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DFC29AA-2B46-44EB-B7BA-B54343D315FF}\offreg.dll
2012-01-24 08:04 . 2012-01-24 08:04 -------- d-----w- C:\_OTM
2012-01-24 08:01 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-24 08:00 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DFC29AA-2B46-44EB-B7BA-B54343D315FF}\mpengine.dll
2012-01-23 04:24 . 2012-01-23 04:24 -------- d-----w- c:\program files\ESET
2012-01-22 19:32 . 2011-10-04 17:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1545967A-82C4-4793-B821-B094890F36E0}\gapaengine.dll
2012-01-22 19:21 . 2012-01-22 19:22 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-22 19:20 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-01-18 19:52 . 2011-11-30 02:21 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28D0E58B-D0BF-447B-BF43-22D064460452}\mpengine.dll
2012-01-18 16:57 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-18 16:57 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-18 16:57 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-18 16:57 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-18 16:57 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-18 16:57 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-17 07:49 . 2012-01-17 15:19 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\dbMobileInit
2012-01-16 15:20 . 2012-01-16 15:20 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\QuickGL.NET
2012-01-16 07:47 . 2012-01-24 08:04 -------- d-----w- c:\users\ShariBlackVelvet\AppData\Local\AppleHelp64
2012-01-11 19:13 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 19:13 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 19:13 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 19:13 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 19:13 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 19:13 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 19:13 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 19:13 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-07 16:32 . 2011-09-16 15:33 11137024 ----a-w- c:\windows\system32\libmfxsw32.dll
2012-01-07 16:32 . 2010-05-27 12:32 774144 ----a-w- c:\windows\system32\htmlayout.dll
2012-01-07 16:32 . 2010-05-27 12:32 1003008 ----a-w- c:\windows\system32\libeay32.dll
2012-01-07 03:14 . 2012-01-17 18:54 -------- d-----w- c:\program files\DriverTuner
2012-01-07 02:45 . 2012-01-07 02:45 -------- d-----w- c:\program files\WinZip(156)
2011-12-30 09:06 . 2011-12-30 09:06 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-30 09:06 . 2011-12-30 09:06 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-30 09:06 . 2011-12-30 09:06 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-30 09:06 . 2011-12-30 09:06 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 15:24 . 2009-11-12 16:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:37 . 2011-12-14 15:41 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 07:53 . 2011-05-14 13:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42 . 2011-12-14 15:40 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-15 07:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-15 07:59 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-15 07:59 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-15 07:59 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01 . 2011-12-14 15:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01 . 2011-12-14 15:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-30 09:06 . 2011-05-05 22:58 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-06-09 26112]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-04-21 1045904]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-12-24 981680]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"HostManager"="c:\program files\Common Files\AOL\1287764634\ee\AOLSoftware.exe" [2010-02-10 41800]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"QuickTime Plugin Install"="c:\program files\QuickTime\Plugins\DeleteMe1.exe" [2011-08-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
_uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor.lnk - c:\program files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe [2010-5-25 253952]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{35594759-A864-4F40-8CDF-600825668E4A}: NameServer = 192.168.1.1
FF - ProfilePath - c:\users\ShariBlackVelvet\AppData\Roaming\Mozilla\Firefox\Profiles\x97wkle1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50ffaoldesktop-chromesbox-en-us&tb_uuid=20110306000852167&tb_oid=06-03-2011&tb_mrud=06-03-2011
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.nectar.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-25 01:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????]?Y??P?U?x?U???U???U??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-01-25 02:12:46
ComboFix-quarantined-files.txt 2012-01-25 02:12
ComboFix2.txt 2012-01-23 04:19
.
Pre-Run: 66,611,200,000 bytes free
Post-Run: 67,053,035,520 bytes free
.
- - End Of File - - 0A36FBF42E7F249CF35A5EA243D973A6


Malwarebytes Log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.22.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
ShariBlackVelvet :: SBV-PC [administrator]

25/01/2012 3:17:11 pm
mbam-log-2012-01-25 (15-17-11).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 462056
Time elapsed: 2 hour(s), 22 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Bobbye]

Looks good! I do recommend you go through the Toshiba processes and uninstall or take off of Startup those you do not use/need or want.

For instance: This is a reminder to register set in 2008:
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]

There is also an AOL Process you can do without on Startup:
c:\users\ShariBlackVelvet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AOL Desktop.lnk - c:\program files\Common Files\AOL\1287764634\ee\aolsoftware.exe [2010-2-10 41800]
_uninst_23372510.lnk - c:\users\ShariBlackVelvet\AppData\Local\Temp\_uninst_23372510.bat [N/A]

• Name: AOL Service Libraries
• Startup Value: C:\Program Files\Common Files\AOL\<10 digit number>\e\AOLSoftware.exe
• Purpose: Integrated email, instant messenger and web browser
• Program disable option: None
• Shortcut(s) available: None

====================================
You can delete all those app data files. Copy them to one screen> then click on Edit> Select All> Edit> Delete.

Ar there any more malware related problems?

 

[SBV]

Great. Thank you so much for your help. You're a superhero. It is much appreciated!

 

[Bobbye]

You're welcome! Glad to help.
You can go ahead with this now>
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin