Solved Random audio from Vista laptop; bootkit?

[Wigie]

Greetings to the malware gurus!

I'm visiting the in-laws for Christmas, and as usual they have a to-do list for me on their Windows machines (despite being a Linux and Mac guy myself). In particular, an older Vista laptop has been misbehaving for quite a while. Sudden reboots/BSODs happen occasionally, and there's quite a bit of disk and CPU activity even when no applications are active.

Three nights ago, before I arrived, the in-laws report that they were awoken around 3 am by the laptop making "train and conductor noises". Two evenings ago, just after I arrived, I witnessed another random audio event: the laptop loudly played roughly a minute of what sounded like a radio station. Both times, the laptop had been sitting idle, with no obvious applications as the culprits.

Some Googling suggests this might be a particularly insidious bootkit, so I figured it was time to ask the big guns for help. I've followed the 5-step preliminary process, with logs to follow. As you can see, MBAM found quite a few infected files (despite the in-laws swearing up and down that they never click on pop-up ads, never open attachments, etc.). I suspect from what I've read, though, that MBAM's cleaning is just the beginning.

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[Wigie]

MBAM and GMER logs

MBAM log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
Preston :: PRESTON-PC [administrator]

12/30/2011 10:08:15 PM
mbam-log-2011-12-30 (22-08-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 176559
Time elapsed: 15 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MozillaAgent (Spyware.Passwords.XGen) -> Data: C:\Windows\Temp\_ex-68.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 44
C:\Windows\Temp\_ex-68.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Users\Preston\AppData\Local\Temp\Low\gggf0.9931242026192252.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Preston\AppData\Local\Temp\Low\msimg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Preston\AppData\Local\Temp\Low\nbd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Preston\AppData\Local\Temp\Low\nnnv0.9267765390007804.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.12083791157339918.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.15212387642466318.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.2432612807480884.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.3578785283736683.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.41742171686432006.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.49873739100968595.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.5742829090899441.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\oiu0.6046903665328739.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\opre0.7612425464450437.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.24486286966104642.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.4081840241338448.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.48662812196525573.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.6499094641352968.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.7140886146914504.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.7286986142104609.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.7402439770299677.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\sghj0.792046677323729.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.02022251298854183.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.11293224967811166.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.11658176759357508.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.15725030950035912.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.26430795283467146.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.5403352702975825.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.768578184145778.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.8485745987159106.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\kna0.8707204086505084.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.10844948347067529.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.22012835163648437.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.27282919756518387.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.39465973330368065.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.4806356201332599.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.77183947819478.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.8437403563392449.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\Temp\fsdfdsf0.6549982402737817.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\200.0174.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Temp\639.0622.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\845.8003.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\wreflk\setup.exe (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\Windows\Temp\bjtbor\setup.exe (Trojan.Downloader.BH) -> Quarantined and deleted successfully.

(end)

GMER scan log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-30 23:50:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHV2120BH_PL rev.0000002A
Running: GMER.exe; Driver: C:\Users\Preston\AppData\Local\Temp\fwriyfoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text i8042prt.sys 8C125000 22 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text i8042prt.sys 8C125018 44 Bytes [8B, 44, 24, 10, 89, 6C, 24, ...]
.text i8042prt.sys 8C125045 8 Bytes [45, F8, 8D, 45, F0, 64, A3, ...]
.text i8042prt.sys 8C125050 70 Bytes [C3, 8B, 4D, F0, 64, 89, 0D, ...]
.text i8042prt.sys 8C12509A 64 Bytes [8B, 44, 24, 30, 8B, 58, 08, ...]
.text ...
? C:\Windows\system32\DRIVERS\i8042prt.sys suspicious PE modification
? C:\Users\Preston\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 77114B84 5 Bytes JMP 009E000A
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtWriteVirtualMemory 771154C4 5 Bytes JMP 009F000A
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 77115BF8 5 Bytes JMP 009D000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 8C10A000-8C124000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB22433$\1294555841 0 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690 0 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\@ 2048 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\bckfg.tmp 849 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\cfg.ini 208 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\keywords 175 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\L 0 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\L\qnbwvoto 54784 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U 0 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB22433$\1818442690\U\80000032.@ 77312 bytes

---- EOF - GMER 1.0.15 ----

 

[Wigie]

DDS Logs

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170
Run by Preston at 0:53:07 on 2011-12-31
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.2037.1234 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Users\Preston\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {38542454-DFB6-44F5-B052-D4E071A3D073} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {B80F591E-FE9A-46CF-A13E-180377240586} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [PINGER] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: c:\users\preston\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\preston\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FCE00225-F6A3-42B7-9AFF-64CDC15BEB8E} : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-25 21504]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S1 MpKsl4b817780;MpKsl4b817780;c:\programdata\microsoft\microsoft antimalware\definition updates\{de88daa0-0892-49fd-99d1-0f3e25703adc}\MpKsl4b817780.sys [2011-12-30 29904]
S1 MpKsle880a45d;MpKsle880a45d;c:\programdata\microsoft\microsoft antimalware\definition updates\{de88daa0-0892-49fd-99d1-0f3e25703adc}\MpKsle880a45d.sys [2011-12-30 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2009-12-18 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2009-12-18 174720]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2010-1-29 54416]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2010-1-29 160272]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2010-1-29 160272]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2010-1-29 11920]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2010-1-29 113680]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-25 16896]
.
=============== Created Last 30 ================
.
2011-12-31 06:22:28 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{de88daa0-0892-49fd-99d1-0f3e25703adc}\offreg.dll
2011-12-31 04:04:59 -------- d-----w- c:\users\preston\appdata\roaming\Malwarebytes
2011-12-31 04:03:37 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 04:03:35 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 04:03:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 02:55:15 -------- d-----r- c:\users\preston\Dropbox
2011-12-31 02:49:56 -------- d-----w- c:\users\preston\appdata\roaming\Dropbox
2011-12-31 02:47:59 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{de88daa0-0892-49fd-99d1-0f3e25703adc}\mpengine.dll
2011-12-13 20:46:07 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 20:46:07 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 20:46:06 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 20:46:04 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 20:46:03 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 0:53:38.55 ===============

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
MicrosoftÆ Windows Vistaô Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/24/2007 2:04:31 AM
System Uptime: 12/31/2011 12:21:56 AM (0 hours ago)
.
Motherboard: TOSHIBA | | Satellite P105
Processor: Intel(R) Core(TM) Duo CPU T2250 @ 1.73GHz | U2E1 | 1333/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 110 GiB total, 59.172 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet Pro 8500 A909g
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet Pro 8500 A909g
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
.
==== Hosts File Hijack ======================
.
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
Hosts: 69.72.252.254 www.statcounter.com.
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
8500A909_eDocs
8500A909_Help
8500A909g
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
AVerMedia USB Hybrid Capture Device 1.3.0.46
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 3
Bluetooth Stack for Windows by Toshiba
BPD_DSWizards
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
CD/DVD Drive Acoustic Silencer
Chuzzle Deluxe
Compatibility Pack for the 2007 Office system
Conexant HD Audio
DeLorme Street Atlas USA 2008
Desktop Dialer
Destination Component
DeviceDiscovery
DocMgr
DocProc
Dropbox
DVD MovieFactory for TOSHIBA
FATE
Fax
GPBaseService2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 12.0
hp deskjet 5800 series
HP Document Manager 2.0
HP Imaging Device Functions 12.0
HP Smart Web Printing
HP Solution Center 13.0
HP Update
HPDiagnosticAlert
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
JEOPARDY
Lexmark Printable Web
Malwarebytes Anti-Malware version 1.60.0.1800
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Microsoft XML Parser
Mobile Broadband Generic Drivers
MPM
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Network
OCR Software by I.R.I.S. 12.0
Officejet Pro 8500 A909 Series
OGA Notifier 2.0.0048.0
OVT Scanner X86
PANTECH UM175 Driver
Penguins!
Picasa 3
ProductContext
QuickBooks
QuickBooks Pro 2009
Scan
SCRABBLE
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Shop for HP Supplies
SmartWebPrinting
Soft Data Fax Modem with SmartCP
SolutionCenter
Status
SupportSoft Assisted Service
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Game Console
TOSHIBA Hardware Setup
TOSHIBA Media Center Game Console
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Volume Indicator
TrayApp
Uninstall OVT Scanner
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Verizon Wireless MiFi-2200 Firmware Updates
Visual Studio 2005 Tools for Office Second Edition Runtime
VZAccess Manager
WebReg
Windows 7 Upgrade Advisor
WinDVD for TOSHIBA
.
==== Event Viewer Messages From Past Week ========
.
12/31/2011 12:24:44 AM, Error: Microsoft-Windows-WMPNSS-Service [14325] - Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80070424'. In Windows Media Player, turn off media sharing, and then turn it back on.
12/31/2011 12:23:34 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
12/31/2011 12:22:48 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Tosrfcom
12/31/2011 12:22:48 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
12/31/2011 12:22:48 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
12/31/2011 12:22:48 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
12/31/2011 12:22:48 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/31/2011 12:22:48 AM, Error: Service Control Manager [7000] - The hpdj service failed to start due to the following error: The system cannot find the file specified.
12/30/2011 9:00:42 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/30/2011 9:00:01 PM, Error: EventLog [6008] - The previous system shutdown at 8:58:15 PM on 12/30/2011 was unexpected.
12/30/2011 8:50:38 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
12/30/2011 11:59:30 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1932.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
12/30/2011 10:45:41 PM, Error: EventLog [6008] - The previous system shutdown at 10:44:33 PM on 12/30/2011 was unexpected.
12/30/2011 10:35:20 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/30/2011 10:34:55 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0019D286CF97 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/29/2011 9:51:40 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
12/29/2011 11:20:17 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 90-4C-E5-3D-C9-43. Network operations on this system may be disrupted as a result.
12/28/2011 9:19:12 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
12/28/2011 8:52:43 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/28/2011 8:52:17 AM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
12/27/2011 7:53:25 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/27/2011 7:51:21 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.
12/27/2011 7:50:51 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.
12/27/2011 7:43:07 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinHttpAutoProxySvc service.
12/27/2011 7:43:07 AM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/26/2011 6:09:17 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the W32Time service.
12/26/2011 6:08:47 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service.
12/26/2011 6:08:17 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.
12/26/2011 11:47:18 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
12/25/2011 8:03:54 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
12/25/2011 2:56:05 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/25/2011 2:55:16 PM, Error: EventLog [6008] - The previous system shutdown at 2:53:24 PM on 12/25/2011 was unexpected.
12/24/2011 3:04:08 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
.
==== End Of File ===========================

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==========================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Wigie]

aswMBR and Combofix logs

The logs are attached below. Combofix complained that MS Security Essentials was active, although I had explicitly disabled it. Combofix also popped up a dialog box at one point saying that the malware had infected the TCP/IP stack. It rebooted the laptop twice. Hopefully this will give you the info you need to suggest the next steps. Thanks!

aswMBR:

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2011-12-31 17:17:58
-----------------------------
17:17:58.382 OS Version: Windows 6.0.6002 Service Pack 2
17:17:58.382 Number of processors: 2 586 0xE0C
17:17:58.382 ComputerName: PRESTON-PC UserName: Preston
17:18:00.675 Initialize success
17:28:55.509 AVAST engine defs: 11123101
17:30:35.196 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:30:35.196 Disk 0 Vendor: FUJITSU_MHV2120BH_PL 0000002A Size: 114473MB BusType: 3
17:30:35.258 Disk 0 MBR read successfully
17:30:35.258 Disk 0 MBR scan
17:30:35.274 Disk 0 Windows VISTA default MBR code
17:30:35.274 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
17:30:35.305 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 112971 MB offset 3074048
17:30:35.321 Disk 0 scanning sectors +234438656
17:30:35.430 Disk 0 scanning C:\Windows\system32\drivers
17:30:39.252 File: C:\Windows\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
17:30:50.312 Service scanning
17:30:51.264 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
17:30:51.935 Modules scanning
17:30:54.805 Module: C:\Windows\system32\DRIVERS\i8042prt.sys **SUSPICIOUS**
17:31:27.503 Disk 0 trace - called modules:
17:31:27.518 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85592f10]<<
17:31:27.534 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84793458]
17:31:27.534 3 CLASSPNP.SYS[87f8b8b3] -> nt!IofCallDriver -> [0x8556a2c8]
17:31:27.550 \Driver\00000590[0x8556a400] -> IRP_MJ_CREATE -> 0x85592f10
17:31:30.794 AVAST engine scan C:\Windows
17:31:34.554 AVAST engine scan C:\Windows\system32
17:34:45.070 AVAST engine scan C:\Windows\system32\drivers
17:34:49.875 File: C:\Windows\system32\drivers\i8042prt.sys **INFECTED** Win32:Aluroot-B [Rtk]
17:35:05.383 AVAST engine scan C:\Users\Preston
17:47:12.983 AVAST engine scan C:\ProgramData
17:50:50.463 Scan finished successfully
17:53:34.855 Disk 0 MBR has been saved successfully to "C:\Users\Preston\Desktop\MBR.dat"
17:53:34.871 The log file has been saved successfully to "C:\Users\Preston\Desktop\aswMBR.txt"

Combofix:

ComboFix 11-12-31.03 - Preston 12/31/2011 18:27:02.1.2 - x86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.2037.1027 [GMT -6:00]
Running from: c:\users\Preston\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\programdata\SPL1263.tmp
c:\programdata\SPL132B.tmp
c:\programdata\SPL15E2.tmp
c:\programdata\SPL19A5.tmp
c:\programdata\SPL2627.tmp
c:\programdata\SPL289C.tmp
c:\programdata\SPL2DF6.tmp
c:\programdata\SPL32BA.tmp
c:\programdata\SPL3DEE.tmp
c:\programdata\SPL4B51.tmp
c:\programdata\SPL518A.tmp
c:\programdata\SPL523B.tmp
c:\programdata\SPL53EC.tmp
c:\programdata\SPL55C9.tmp
c:\programdata\SPL5A73.tmp
c:\programdata\SPL5DCA.tmp
c:\programdata\SPL630A.tmp
c:\programdata\SPL6B4F.tmp
c:\programdata\SPL709.tmp
c:\programdata\SPL78B3.tmp
c:\programdata\SPL7D78.tmp
c:\programdata\SPL8123.tmp
c:\programdata\SPL83A0.tmp
c:\programdata\SPL8CE3.tmp
c:\programdata\SPL8EC7.tmp
c:\programdata\SPL96D2.tmp
c:\programdata\SPL974F.tmp
c:\programdata\SPL97FA.tmp
c:\programdata\SPL9B64.tmp
c:\programdata\SPLA0C8.tmp
c:\programdata\SPLA18B.tmp
c:\programdata\SPLA340.tmp
c:\programdata\SPLA8AD.tmp
c:\programdata\SPLA9A6.tmp
c:\programdata\SPLB658.tmp
c:\programdata\SPLB7BA.tmp
c:\programdata\SPLB809.tmp
c:\programdata\SPLBA83.tmp
c:\programdata\SPLBA88.tmp
c:\programdata\SPLBA9F.tmp
c:\programdata\SPLD365.tmp
c:\programdata\SPLD56E.tmp
c:\programdata\SPLE019.tmp
c:\programdata\SPLE047.tmp
c:\programdata\SPLF4B3.tmp
c:\programdata\SPLF693.tmp
c:\programdata\SPLFC04.tmp
c:\programdata\SPLFFE2.tmp
c:\users\Preston\AppData\Local\Microsoft\Windows\Temporary Internet Files\index.dat
c:\users\Preston\Documents\~WRL3322.tmp
c:\windows\$NtUninstallKB22433$
c:\windows\$NtUninstallKB22433$\1294555841
c:\windows\$NtUninstallKB22433$\1818442690\@
c:\windows\$NtUninstallKB22433$\1818442690\bckfg.tmp
c:\windows\$NtUninstallKB22433$\1818442690\cfg.ini
c:\windows\$NtUninstallKB22433$\1818442690\Desktop.ini
c:\windows\$NtUninstallKB22433$\1818442690\keywords
c:\windows\$NtUninstallKB22433$\1818442690\kwrd.dll
c:\windows\$NtUninstallKB22433$\1818442690\L\qnbwvoto
c:\windows\$NtUninstallKB22433$\1818442690\lsflt7.ver
c:\windows\$NtUninstallKB22433$\1818442690\U\00000001.@
c:\windows\$NtUninstallKB22433$\1818442690\U\00000002.@
c:\windows\$NtUninstallKB22433$\1818442690\U\00000004.@
c:\windows\$NtUninstallKB22433$\1818442690\U\80000000.@
c:\windows\$NtUninstallKB22433$\1818442690\U\80000004.@
c:\windows\$NtUninstallKB22433$\1818442690\U\80000032.@
.
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2012-01-01 00:41 . 2012-01-01 00:41 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\offreg.dll
2012-01-01 00:39 . 2012-01-01 00:42 -------- d-----w- c:\users\Preston\AppData\Local\temp
2012-01-01 00:39 . 2012-01-01 00:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 00:21 . 2008-02-26 23:37 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-31 04:04 . 2011-12-31 04:04 -------- d-----w- c:\users\Preston\AppData\Roaming\Malwarebytes
2011-12-31 04:03 . 2011-12-31 04:03 -------- d-----w- c:\programdata\Malwarebytes
2011-12-31 04:03 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 04:03 . 2011-12-31 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 02:55 . 2011-12-31 22:44 -------- d-----r- c:\users\Preston\Dropbox
2011-12-31 02:49 . 2011-12-31 22:44 -------- d-----w- c:\users\Preston\AppData\Roaming\Dropbox
2011-12-31 02:47 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\mpengine.dll
2011-12-14 03:31 . 2011-12-14 03:31 -------- d-----w- c:\windows\Sun
2011-12-13 20:46 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-13 20:46 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-13 20:46 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 20:46 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 20:46 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 10:47 . 2010-04-26 23:24 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-11 09:25 . 2011-10-11 09:26 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F057E1B1-1A90-426B-9FFB-FAFCD2C0608F}\gapaengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Preston\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Preston\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Preston\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"NDSTray.exe"="NDSTray.exe" [BU]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-23 409264]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-11-28 52912]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-11-20 446128]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-11-29 523952]
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-10-31 94208]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
.
c:\users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Preston\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl2f2dc6a6;MpKsl2f2dc6a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C8E81875-E787-4EA4-955B-C3233F1AAB9E}\MpKsl2f2dc6a6.sys [x]
R1 MpKsl4b817780;MpKsl4b817780;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsl4b817780.sys [2011-12-31 29904]
R1 MpKsl926b64a6;MpKsl926b64a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{35FF218B-0E51-49E9-AECC-EBFD061D8D20}\MpKsl926b64a6.sys [x]
R1 MpKslacd18964;MpKslacd18964;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C8E81875-E787-4EA4-955B-C3233F1AAB9E}\MpKslacd18964.sys [x]
R1 MpKsldd14e6fe;MpKsldd14e6fe;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C8E81875-E787-4EA4-955B-C3233F1AAB9E}\MpKsldd14e6fe.sys [x]
R1 MpKsle880a45d;MpKsle880a45d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsle880a45d.sys [2011-12-31 29904]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [2006-07-31 580992]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-12-18 20480]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-12-18 174720]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2009-08-12 54416]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2009-08-12 160272]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2009-08-12 160272]
R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\DRIVERS\PTDUWFLT.sys [2009-08-12 11920]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2009-08-12 113680]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2009-08-18 c:\windows\Tasks\NSSstub.job
- c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2009-08-10 01:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{38542454-dfb6-44f5-b052-d4e071a3d073} - (no file)
URLSearchHooks-{b80f591e-fe9a-46cf-a13e-180377240586} - (no file)
WebBrowser-{38542454-DFB6-44F5-B052-D4E071A3D073} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{B80F591E-FE9A-46CF-A13E-180377240586} - (no file)
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-OVT Scanner - c:\windows\omniuns.exe USB\Vid_05a9&PID_1550 OVT Scanner
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-31 18:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3504)
c:\users\Preston\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2011-12-31 18:49:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-01 00:49
.
Pre-Run: 64,065,376,256 bytes free
Post-Run: 64,908,775,424 bytes free
.
- - End Of File - - EF2D76DD36C13959D65ED221BA721F1C

 

[Broni]

Looks good

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Wigie]

OTL Logs

Glad to hear things are looking good. There hasn't been any random audio since I started the cleaning process, but then again, it wasn't happening very often in the first place, so it's hard to tell.

OTL.txt

OTL logfile created on: 12/31/2011 8:04:34 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Preston\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 59.25% Memory free
4.21 Gb Paging File | 3.41 Gb Available in Paging File | 80.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 60.51 Gb Free Space | 54.84% Space Free | Partition Type: NTFS
Drive E: | 488.60 Mb Total Space | 209.84 Mb Free Space | 42.95% Space Free | Partition Type: FAT

Computer Name: PRESTON-PC | User Name: Preston | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/31 20:55:22 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
PRC - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2006/11/22 19:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/01 00:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/07/20 14:54:28 | 000,040,960 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (hpdj)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/11/22 19:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/11/01 00:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/07/20 14:54:28 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/12/30 22:35:04 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsle880a45d.sys -- (MpKsle880a45d)
DRV - [2011/12/30 20:49:18 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsl4b817780.sys -- (MpKsl4b817780)
DRV - [2011/04/27 14:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 12:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/18 11:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 11:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2009/08/12 05:13:32 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUMdm.sys -- (PTDUMdm)
DRV - [2009/08/12 05:13:32 | 000,113,680 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
DRV - [2009/08/12 05:13:32 | 000,054,416 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUBus.sys -- (PTDUBus)
DRV - [2009/08/12 05:13:28 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUVsp.sys -- (PTDUVsp)
DRV - [2009/08/12 05:13:28 | 000,011,920 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWFLT.sys -- (PTDUWFLT)
DRV - [2009/05/25 14:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/11/17 14:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/03/04 01:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/01/19 00:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/11/09 04:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/26 15:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2006/11/20 20:14:28 | 000,033,792 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qkbfiltr.sys -- (qkbfiltr)
DRV - [2006/11/17 15:08:36 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 01:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2006/10/30 11:42:28 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/10/23 18:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 13:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/12 11:18:14 | 000,007,680 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BoiHwSetup.sys -- (BoiHwsetup)
DRV - [2006/09/27 21:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/04 18:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/07/31 06:44:00 | 000,580,992 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)
DRV - [2006/07/06 15:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/14 12:50:52 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2005/09/27 17:57:38 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2005/08/17 07:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/08/01 18:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/12/01 13:53:18 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/12/01 13:53:18 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/12/19 04:29:47 | 000,001,398 | RHS- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 66.197.194.231 www.google-analytics.com.
O1 - Hosts: 66.197.194.231 ad-emea.doubleclick.net.
O1 - Hosts: 66.197.194.231 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TOSHIBA Volume Indicator] C:\Program Files\Toshiba\Utilities\VolControl.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - Startup: C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Preston\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FCE00225-F6A3-42B7-9AFF-64CDC15BEB8E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Toshiba-1.JPG
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Toshiba-1.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/03/28 12:31:42 | 000,000,176 | RHS- | M] () - E:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2009/03/28 12:31:44 | 000,000,000 | RHSD | M] - E:\AutoRun -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.dvacm - C:\Program Files\Common Files\Ulead Systems\vio\DVACM.acm (Ulead Systems, Inc.)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - msh263.drv File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/12/31 19:58:54 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
[2011/12/31 18:50:06 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Local\temp
[2011/12/31 18:42:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/31 18:01:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/31 18:01:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/31 18:01:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/31 18:01:11 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/31 18:01:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/31 17:58:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/31 17:57:28 | 004,358,797 | R--- | C] (Swearware) -- C:\Users\Preston\Desktop\ComboFix.exe
[2011/12/31 16:44:01 | 004,702,720 | ---- | C] (AVAST Software) -- C:\Users\Preston\Desktop\aswMBR.exe
[2011/12/30 22:36:17 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Preston\Desktop\dds.scr
[2011/12/30 22:04:59 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Malwarebytes
[2011/12/30 22:03:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/30 22:03:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/30 22:03:35 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/30 22:03:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/30 22:02:19 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Preston\Desktop\tdsskiller.exe
[2011/12/30 22:02:14 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Preston\Desktop\mbam-setup-1.60.0.1800.exe
[2011/12/30 20:55:15 | 000,000,000 | R--D | C] -- C:\Users\Preston\Dropbox
[2011/12/30 20:52:34 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2011/12/30 20:49:56 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Dropbox
[2011/12/13 21:31:26 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2007/10/14 19:35:00 | 000,040,960 | ---- | C] ( ) -- C:\Windows\OMNIUNS.EXE

========== Files - Modified Within 30 Days ==========

[2011/12/31 21:03:04 | 000,003,213 | ---- | M] () -- C:\Users\Preston\Desktop\OTL_script
[2011/12/31 20:55:22 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
[2011/12/31 19:59:51 | 000,606,602 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/31 19:59:51 | 000,105,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/31 18:56:38 | 004,358,797 | R--- | M] (Swearware) -- C:\Users\Preston\Desktop\ComboFix.exe
[2011/12/31 18:41:28 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 18:41:28 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 18:41:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/31 18:41:16 | 2137,186,304 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/31 17:53:34 | 000,000,512 | ---- | M] () -- C:\Users\Preston\Desktop\MBR.dat
[2011/12/31 01:23:14 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Users\Preston\Desktop\aswMBR.exe
[2011/12/30 23:31:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Preston\Desktop\dds.scr
[2011/12/30 23:30:28 | 000,302,592 | ---- | M] () -- C:\Users\Preston\Desktop\GMER.exe
[2011/12/30 22:45:34 | 204,260,992 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/30 22:03:42 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 20:55:15 | 000,000,954 | ---- | M] () -- C:\Users\Preston\Desktop\Dropbox.lnk
[2011/12/30 20:53:22 | 000,000,934 | ---- | M] () -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/12/29 11:34:38 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Preston\Desktop\tdsskiller.exe
[2011/12/29 11:32:52 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Preston\Desktop\mbam-setup-1.60.0.1800.exe
[2011/12/25 07:03:52 | 000,002,609 | ---- | M] () -- C:\Users\Preston\Desktop\Microsoft Office Word 2003.lnk
[2011/12/24 06:32:19 | 000,000,112 | ---- | M] () -- C:\ProgramData\Km03YTDm.dat
[2011/12/19 04:29:47 | 000,001,398 | RHS- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/12/14 03:37:44 | 000,335,016 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2011/12/31 19:58:58 | 000,003,213 | ---- | C] () -- C:\Users\Preston\Desktop\OTL_script
[2011/12/31 18:01:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/31 18:01:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/31 18:01:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/31 18:01:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/31 18:01:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/31 17:53:34 | 000,000,512 | ---- | C] () -- C:\Users\Preston\Desktop\MBR.dat
[2011/12/30 22:36:12 | 000,302,592 | ---- | C] () -- C:\Users\Preston\Desktop\GMER.exe
[2011/12/30 22:03:42 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 21:35:20 | 000,001,659 | ---- | C] () -- C:\Users\Preston\Desktop\Command Prompt.lnk
[2011/12/30 20:55:15 | 000,000,954 | ---- | C] () -- C:\Users\Preston\Desktop\Dropbox.lnk
[2011/12/30 20:53:22 | 000,000,934 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/12/24 05:09:30 | 000,000,112 | ---- | C] () -- C:\ProgramData\Km03YTDm.dat
[2011/01/09 13:13:00 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2011/01/05 22:23:18 | 000,077,378 | ---- | C] () -- C:\Windows\hpqins05.dat
[2010/12/25 19:38:26 | 000,002,979 | ---- | C] () -- C:\Windows\hpwmdl22.dat.temp
[2010/12/22 22:35:00 | 000,024,064 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\UserTile.png
[2010/12/01 13:41:10 | 000,188,894 | ---- | C] () -- C:\Windows\hpwins22.dat
[2009/10/21 17:39:54 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/21 17:39:54 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/12/01 17:14:32 | 000,038,415 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\Comma Separated Values (Windows).ADR
[2008/11/30 20:45:24 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2008/11/14 07:13:37 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/10/25 03:40:22 | 000,002,979 | ---- | C] () -- C:\Windows\hpwmdl22.dat
[2008/05/18 16:35:14 | 000,000,103 | ---- | C] () -- C:\Windows\System32\hptrace.ini
[2008/05/18 16:34:29 | 000,011,624 | ---- | C] () -- C:\Windows\hpdj5800.ini
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/09/21 13:12:03 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/04/20 18:33:32 | 000,000,000 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\wklnhst.dat
[2007/04/06 09:07:25 | 000,027,648 | ---- | C] () -- C:\Users\Preston\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/30 18:57:36 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2006/11/30 18:27:17 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2006/11/30 18:27:17 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2006/11/30 18:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2006/11/30 18:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2006/11/30 18:27:17 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2006/11/30 18:27:17 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2006/11/30 18:02:13 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2006/11/30 18:02:13 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2006/11/30 18:02:13 | 000,009,484 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2006/11/30 18:02:13 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2006/11/06 13:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,335,016 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,606,602 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,105,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/31 19:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/08/10 17:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/22 23:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/09/02 17:25:41 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\DeLorme
[2011/12/31 16:44:59 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Dropbox
[2011/07/28 08:09:13 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\InterVideo
[2010/12/22 22:34:59 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\PeerNetworking
[2010/01/06 14:22:18 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Smith Micro
[2007/04/20 18:33:49 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Template
[2008/09/12 08:05:23 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Toshiba
[2008/03/27 14:01:31 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Ulead Systems
[2007/04/06 09:08:29 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\WildTangent
[2011/04/13 17:28:06 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\WinBatch
[2011/12/31 18:40:10 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 15:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 00:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/11/30 17:26:20 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2011/12/31 18:50:04 | 000,016,471 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 15:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2011/12/31 18:41:16 | 2137,186,304 | -HS- | M] () -- C:\hiberfil.sys
[2008/04/09 15:37:44 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/04/09 15:37:44 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/12/31 18:41:13 | 2450,976,768 | -HS- | M] () -- C:\pagefile.sys
[2011/12/31 00:20:42 | 000,080,678 | ---- | M] () -- C:\TDSSKiller.2.6.25.0_31.12.2011_00.18.54_log.txt

< %systemroot%\Fonts\*.com >
[2006/11/02 06:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 06:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 06:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/11/12 11:50:17 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 15:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/08/12 10:58:10 | 000,314,880 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\hpfpp082.dll
[2008/01/19 01:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006/11/02 06:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
[2006/11/02 03:46:11 | 000,089,600 | ---- | M] (Lexmark International Inc.) -- C:\Windows\system32\spool\prtprocs\w32x86\LMPRTPRC.DLL
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\mdippr.dll
[2006/10/26 21:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[2010/02/09 08:05:56 | 000,001,746 | -H-- | M] () -- C:\Users\Preston\AppData\Roaming\Microsoft\LastFlashConfig.WFC

< %PROGRAMFILES%\*.* >
[2008/11/13 17:46:11 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/30 17:26:04 | 006,602,752 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/30 17:26:02 | 000,102,400 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/30 17:26:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/30 17:26:15 | 015,556,608 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/30 17:26:17 | 006,012,928 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/01/03 22:11:06 | 000,000,702 | -HS- | M] () -- C:\Users\Preston\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/12/31 01:23:14 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Users\Preston\Desktop\aswMBR.exe
[2011/12/31 18:56:38 | 004,358,797 | R--- | M] (Swearware) -- C:\Users\Preston\Desktop\ComboFix.exe
[2011/12/30 23:30:28 | 000,302,592 | ---- | M] () -- C:\Users\Preston\Desktop\GMER.exe
[2011/12/29 11:32:52 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Preston\Desktop\mbam-setup-1.60.0.1800.exe
[2011/12/31 20:55:22 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
[2011/12/29 11:34:38 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Preston\Desktop\tdsskiller.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/09/15 02:38:00 | 000,000,402 | -HS- | M] () -- C:\Users\Preston\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2008/12/29 07:23:19 | 000,000,252 | ---- | M] () -- C:\ProgramData\FastPics.log
[2011/01/05 22:26:55 | 000,001,710 | ---- | M] () -- C:\ProgramData\hpzinstall.log
[2010/12/01 14:02:18 | 000,074,013 | ---- | M] () -- C:\ProgramData\lxdw.log
[2010/01/09 11:40:43 | 000,045,424 | ---- | M] () -- C:\ProgramData\lxdwJSW.log
[2008/12/29 07:18:34 | 000,000,000 | ---- | M] () -- C:\ProgramData\UpdaterLog.txt

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< End of report >

 

[Wigie]

OTL Extras Log

Extras.txt

OTL Extras logfile created on: 12/31/2011 8:04:34 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Preston\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 59.25% Memory free
4.21 Gb Paging File | 3.41 Gb Available in Paging File | 80.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 60.51 Gb Free Space | 54.84% Space Free | Partition Type: NTFS
Drive E: | 488.60 Mb Total Space | 209.84 Mb Free Space | 42.95% Space Free | Partition Type: FAT

Computer Name: PRESTON-PC | User Name: Preston | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2761A368-3AE0-433F-9AA9-F09CD3271E65}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |
"{7799C2CF-877D-4B47-ADAE-F7B75D5AF42D}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8A4B286E-EE22-4661-B113-9B0E82CCEAB1}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9B3666D8-B6DD-4AA0-B63F-23BA9AFC55C9}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A6E276D6-116C-45A0-AE3B-3BD5BBF280C5}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{ADB8120F-2A6F-4AB5-9950-6EB1E6EFB804}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{ADD80576-5F2B-4DEE-B04B-BF62874291A8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{B3534DF1-5278-4EB0-BA5A-C0439C2226D2}" = lport=10243 | protocol=6 | dir=in | app=system |
"{C5D6964E-4F9F-461A-B3CD-8241EAA07218}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E4EBA9FE-8A29-468A-A031-089F7A7C306A}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02ADE157-A19E-494F-AC82-F219E3289EC5}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqste08.exe |
"{0314C332-C5F2-4122-ABC3-DDEEFA1E3910}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqkygrp.exe |
"{081C8FBF-46ED-46C5-ACE7-3A12CBA85023}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{1C8F92CF-E2DC-48F8-A8A6-D9DC23062E6E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{42E2A3A1-7298-47DC-B03E-5DE19B0FCC15}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposfx08.exe |
"{535A5CEB-1BB9-4A8A-93F2-2352D959AA4A}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{59678263-32DD-4EA3-BDD9-C10BD26FC05B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{5E48C4E3-962D-4E5E-ACD3-F8D9165D5E87}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6A417DAA-ADB7-480C-AA01-ED9D2B9797C0}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6F4DD373-AC25-4ECB-9A21-67A9A906F965}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{70EC471A-59E7-4900-A738-78FD5165751E}" = dir=in | app=c:\program files\hp\digital imaging\bin\hposid01.exe |
"{75D198FE-7ADA-44BA-9BB0-06F0E0B6DD54}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpzwiz01.exe |
"{82808843-C6A6-4349-8571-56CB8C4B30A9}" = protocol=17 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{831AF0E5-AB3C-4359-AB8C-F390C993E921}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpqtra08.exe |
"{886600F1-562A-4F16-8478-53A9E7798BC1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{9C56FDA7-C86B-487D-99CF-C01EE1E0D447}" = protocol=6 | dir=in | app=c:\program files\yahoo!\yahoo! music jukebox\yahoomusicengine.exe |
"{B3D09D8B-20B7-40CE-8CE3-D439E1281A1E}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdwpswx.exe |
"{B95E7A89-C1E8-495B-92A6-9D607C267AF5}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BB1CB6BA-7760-46AA-9026-B53BEE4993DA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{C0FA10D1-7565-469D-9529-6059FD0A80B6}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdwpswx.exe |
"{C4EEDD2B-7C2B-4D7A-B418-54ABF94EDB31}" = dir=in | app=c:\program files\hp\digital imaging\bin\hpofxm08.exe |
"{C5843156-D86B-4C01-AA7D-D2DB864383C5}" = protocol=6 | dir=in | app=c:\windows\system32\lxdwcoms.exe |
"{C941121B-FDA7-4D72-93B7-3A4C205A5EAD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E153D141-E74E-4652-A787-2E72F09855B7}" = protocol=6 | dir=out | app=system |
"{E2AB6A05-E03F-4A34-8C89-F4906AFD4201}" = protocol=17 | dir=in | app=c:\windows\system32\lxdwcoms.exe |
"{EC2FB3D9-575F-4A01-907D-2D88EB0650CA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F0D9B39F-6019-4858-B3FB-AC0EA15EE003}" = dir=in | app=d:\setup\hpznui01.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{06FAFD58-1C21-4C90-A2FC-C9DC5A2A9D09}" = Verizon Wireless MiFi-2200 Firmware Updates
"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg
"{102CBC47-7FDE-4E6C-8A3A-67B79833FAC8}" = BPDSoftware_Ini
"{11B2F891-91C8-47ce-945A-A91003EA27FB}" = BPDSoftware
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{18AB082B-6584-4F74-8ABC-D5935CF46E4C}" = 8500A909_eDocs
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{3FF660F4-147B-48CB-B824-2B595759D9EF}" = VZAccess Manager
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{432A850B-3558-4BFF-B1F9-30626835B523}" = BPD_DSWizards
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4D304678-738E-42a0-931A-2B022F49DEB8}" = TrayApp
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{57F60D52-630B-43C5-BD20-176F5CD4EED6}" = bpd_scan
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{624E7452-BA43-4f55-B9D5-FC75EEA0808B}" = Officejet Pro 8500 A909 Series
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
"{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6EED4269-588D-45b8-A80C-26A9CA62EE4E}" = HPSSupply
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{800E784D-53E3-4948-B491-9E7FA5EACBDC}" = SmartWebPrinting
"{81D0EAC7-B352-4E71-B8A1-461E41029A2E}" = DeLorme Street Atlas USA 2008
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{98708E86-46E1-479D-B897-9802E591E762}" = TOSHIBA Volume Indicator
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC2BA148-EE9C-4F1A-AFCE-F38C2C71D29B}" = Mobile Broadband Generic Drivers
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B495547C-01F8-4836-A2E6-749B5F3EA691}" = 8500A909_Help
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{BE998F99-4CEB-4E64-B717-493A2E9797F4}" = TOSHIBA Supervisor Password
"{C13AF9C7-8E06-4354-B629-DF6192CE4A66}" = PANTECH UM175 Driver
"{C29C1940-CB85-4F3B-906C-33FEE0E67103}" = DocMgr
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CD8C5C7F-7C58-4F85-8977-A6C08C087912}" = MPM
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D5DEF057-D3BC-499f-99EE-884ED429B6D1}" = 8500A909g
"{DA8BF070-1358-4a30-A68F-21E0E9421AEF}" = ProductContext
"{EB0B41B1-E84F-483C-91FF-BB83019EE127}" = TOSHIBA Hardware Setup
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax
"{EF9E56EE-0243-4BAD-88F4-5E7508AA7D96}" = Destination Component
"{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}" = DVD MovieFactory for TOSHIBA
"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery
"{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = TIPCI
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVerMedia USB Hybrid Capture Device" = AVerMedia USB Hybrid Capture Device 1.3.0.46
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_5045&SUBSYS_1179FF31" = Soft Data Fax Modem with SmartCP
"Desktop Dialer" = Desktop Dialer
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"hp deskjet 5800 series_Driver" = hp deskjet 5800 series
"HP Document Manager" = HP Document Manager 2.0
"HP Imaging Device Functions" = HP Imaging Device Functions 12.0
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 12.0
"HPOCR" = OCR Software by I.R.I.S. 12.0
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{98708E86-46E1-479D-B897-9802E591E762}" = TOSHIBA Volume Indicator
"InstallShield_{BE998F99-4CEB-4E64-B717-493A2E9797F4}" = TOSHIBA Supervisor Password
"InstallShield_{EB0B41B1-E84F-483C-91FF-BB83019EE127}" = TOSHIBA Hardware Setup
"InstallShield_{F7B05784-334C-4F76-8BAB-30ABEB7FD534}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Mobile Broadband Generic Drivers" = Mobile Broadband Generic Drivers
"Money2007b" = Microsoft Money Essentials
"Picasa 3" = Picasa 3
"Shop for HP Supplies" = Shop for HP Supplies
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Game Console" = TOSHIBA Game Console
"TOSHIBA Media Center Game Console" = TOSHIBA Media Center Game Console
"WT015736" = FATE
"WT015800" = Blasterball 3
"WT015802" = Bejeweled 2 Deluxe
"WT015803" = Blackhawk Striker 2
"WT015804" = Chuzzle Deluxe
"WT015805" = JEOPARDY
"WT015806" = Penguins!
"WT015809" = SCRABBLE

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2770878112-3271522919-883143568-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/15/2011 4:00:49 AM | Computer Name = Preston-PC | Source = VSS | ID = 12289
Description =

Error - 6/15/2011 4:00:50 AM | Computer Name = Preston-PC | Source = VSS | ID = 12289
Description =

Error - 6/15/2011 4:01:21 AM | Computer Name = Preston-PC | Source = VSS | ID = 12289
Description =

Error - 6/15/2011 4:09:30 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:09:37 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:09:38 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:09:40 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:10:14 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:10:16 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 6/15/2011 4:10:18 AM | Computer Name = Preston-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 9/3/2007 7:30:44 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 9/8/2007 5:20:53 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 9/21/2007 2:13:42 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 10/20/2007 9:50:55 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 10/26/2007 3:43:38 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 12/18/2008 10:06:12 AM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

Error - 8/2/2010 6:15:57 PM | Computer Name = Preston-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

[ System Events ]
Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 12/31/2011 8:42:26 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 12/31/2011 8:42:56 PM | Computer Name = Preston-PC | Source = DCOM | ID = 10016
Description =

Error - 12/31/2011 8:45:21 PM | Computer Name = Preston-PC | Source = WMPNetworkSvc | ID = 866293
Description =

Error - 12/31/2011 8:48:10 PM | Computer Name = Preston-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 12/31/2011 8:49:47 PM | Computer Name = Preston-PC | Source = WMPNetworkSvc | ID = 866293
Description =


< End of report >

 

[Broni]

Good news

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
  IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
  O1 - Hosts: 66.197.194.231 www.google-analytics.com.
  O1 - Hosts: 66.197.194.231 ad-emea.doubleclick.net.
  O1 - Hosts: 66.197.194.231 www.statcounter.com.
  O1 - Hosts: 69.72.252.254 www.google-analytics.com.
  O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
  O1 - Hosts: 69.72.252.254 www.statcounter.com.
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKU\S-1-5-21-2770878112-3271522919-883143568-1000\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

 

[Wigie]

Problems with running OTL

Hi Broni,

I tried running the OTL custom fix, but it complains about not being able to change c:\windows\system32\drivers\etc\hosts and hangs on the first "Processing O1 - Hosts" line. I've tried running OTL as administrator, with the same error. I've tried running right after a reboot (since when OTL hangs, the taskbar and all Desktop icons are gone), still no luck. I also tried editing the hosts file directly with Notepad (run as administrator), also no luck.

If it helps, running "cacls hosts" gives:

C:\Windows\System32\drivers\etc\hosts NT AUTHORITY\Authenticated Usersspecial access
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES

Here's where my Windows-fu starts breaking down. Any tips for the next step?

 

[Broni]

Take ownership of c:\windows\system32\drivers\etc folder: http://www.howtogeek.com/howto/wind...ership-to-explorer-right-click-menu-in-vista/

 

[Wigie]

OTL Custom Fix log

OK, taking ownership did the trick. Following is the result of the custom fix:

All processes killed

========== OTL ==========

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.

66.197.194.231 www.google-analytics.com. removed from HOSTS file successfully

66.197.194.231 ad-emea.doubleclick.net. removed from HOSTS file successfully

66.197.194.231 www.statcounter.com. removed from HOSTS file successfully

69.72.252.254 www.google-analytics.com. removed from HOSTS file successfully

69.72.252.254 ad-emea.doubleclick.net. removed from HOSTS file successfully

69.72.252.254 www.statcounter.com. removed from HOSTS file successfully

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.

Registry value HKEY_USERS\S-1-5-21-2770878112-3271522919-883143568-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.

Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}

C:\Windows\Downloaded Program Files\gp.inf not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.

========== COMMANDS ==========



[EMPTYTEMP]



User: All Users



User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes



User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes



User: Preston

->Temp folder emptied: 42136 bytes

->Temporary Internet Files folder emptied: 136766923 bytes

->Java cache emptied: 21106 bytes

->Flash cache emptied: 57976 bytes



User: Public

->Temp folder emptied: 0 bytes



%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 28950 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 2811 bytes



Total Files Cleaned = 131.00 mb





[EMPTYFLASH]



User: All Users



User: Default



User: Default User



User: Preston

->Flash cache emptied: 0 bytes



User: Public



Total Flash Files Cleaned = 0.00 mb





OTL by OldTimer - Version 3.2.31.0 log created on 12312011_234545



Files\Folders moved on Reboot...



Registry entries deleted on Reboot...

 

[Broni]

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.

...

 

[Wigie]

OTL Quick Scan

And here are the results of the following OTL Quick Scan, which reported an "all clear":

OTL logfile created on: 12/31/2011 11:55:04 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Preston\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 59.10% Memory free
4.21 Gb Paging File | 3.29 Gb Available in Paging File | 78.09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 59.14 Gb Free Space | 53.61% Space Free | Partition Type: NTFS
Drive E: | 488.60 Mb Total Space | 209.68 Mb Free Space | 42.91% Space Free | Partition Type: FAT

Computer Name: PRESTON-PC | User Name: Preston | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/31 20:55:22 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
PRC - [2011/12/05 13:17:44 | 024,242,056 | ---- | M] (Dropbox, Inc.) -- C:\Users\Preston\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2011/06/22 06:13:46 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2006/11/28 22:05:38 | 000,523,952 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2006/11/22 19:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/11/22 19:08:12 | 000,409,264 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2006/11/20 14:15:14 | 000,446,128 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2006/11/15 00:02:36 | 001,372,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2006/11/14 23:19:42 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/01 00:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/10/30 21:44:40 | 000,094,208 | ---- | M] (TOSHIBA Inc.) -- C:\Program Files\Toshiba\Utilities\VolControl.exe
PRC - [2006/10/27 15:11:02 | 000,192,512 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/07/20 14:54:28 | 000,040,960 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2006/07/20 14:45:00 | 000,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/21 14:03:23 | 000,478,208 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\TCrdMain\671c2eac21a8fa53311453a794d60093\TCrdMain.ni.exe
MOD - [2011/10/13 06:24:33 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1363115565fff5a641243a48f396f107\System.Windows.Forms.ni.dll
MOD - [2011/10/13 06:24:21 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\367c4043efc2f32d843cb588b0dc97fc\System.Drawing.ni.dll
MOD - [2011/10/13 06:23:45 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\231b0b42eff55de5c7d7debe555c16b7\PresentationFramework.Aero.ni.dll
MOD - [2011/10/13 06:23:41 | 014,328,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\94f892556ec9fa7a508fc9d214ceaedf\PresentationFramework.ni.dll
MOD - [2011/10/13 06:23:19 | 012,216,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\53f949f4664bb316f9b7a00d73a6e290\PresentationCore.ni.dll
MOD - [2011/10/13 06:22:55 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd2c727bcef2e019eb96c1145f423701\WindowsBase.ni.dll
MOD - [2011/10/13 06:22:49 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll
MOD - [2011/10/13 06:22:21 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2006/11/09 20:27:06 | 000,090,112 | ---- | M] () -- C:\Program Files\Toshiba\FlashCards\TWarnMsg\TWarnMsg.dll
MOD - [2006/11/08 20:08:30 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\PCDiag\NotifyPCD.dll
MOD - [2006/11/08 20:01:52 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\TBS\NotifyTBS.dll
MOD - [2006/10/20 15:49:22 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\ConfigFree\NotifyCFF.dll
MOD - [2006/10/10 12:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Assist\NotifyX.dll
MOD - [2006/10/07 13:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Disc Creator\NotifyTDC.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (hpdj)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/04/27 14:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/11/22 19:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/14 22:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/11/01 00:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/08/23 18:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/07/20 14:54:28 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2006/05/25 20:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - [2011/12/30 22:35:04 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsle880a45d.sys -- (MpKsle880a45d)
DRV - [2011/12/30 20:49:18 | 000,029,904 | ---- | M] () [Kernel | System | Stopped] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DE88DAA0-0892-49FD-99D1-0F3E25703ADC}\MpKsl4b817780.sys -- (MpKsl4b817780)
DRV - [2011/04/27 14:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 12:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/12/18 11:13:02 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2009/12/18 11:13:00 | 000,230,912 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2009/12/18 11:12:58 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2009/08/12 05:13:32 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUMdm.sys -- (PTDUMdm)
DRV - [2009/08/12 05:13:32 | 000,113,680 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
DRV - [2009/08/12 05:13:32 | 000,054,416 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUBus.sys -- (PTDUBus)
DRV - [2009/08/12 05:13:28 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUVsp.sys -- (PTDUVsp)
DRV - [2009/08/12 05:13:28 | 000,011,920 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWFLT.sys -- (PTDUWFLT)
DRV - [2009/05/25 14:43:58 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
DRV - [2008/11/17 14:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R)
DRV - [2008/03/04 01:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/01/19 00:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/11/09 04:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/26 15:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2006/11/20 20:14:28 | 000,033,792 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qkbfiltr.sys -- (qkbfiltr)
DRV - [2006/11/17 15:08:36 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2006/11/02 01:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2006/10/30 11:42:28 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2006/10/23 18:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 13:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/12 11:18:14 | 000,007,680 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BoiHwSetup.sys -- (BoiHwsetup)
DRV - [2006/09/27 21:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/04 18:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/07/31 06:44:00 | 000,580,992 | ---- | M] (Omnivision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ov550i.sys -- (APL531)
DRV - [2006/07/06 15:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/14 12:50:52 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2005/09/27 17:57:38 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2005/08/17 07:47:48 | 000,073,696 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdserd.sys -- (sscdserd) SAMSUNG CDMA Modem Diagnostic Serial Port (WDM)
DRV - [2005/08/17 07:46:26 | 000,093,872 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2005/08/17 07:46:20 | 000,008,272 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2005/08/17 07:45:00 | 000,058,352 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus) SAMSUNG USB Composite Device driver (WDM)
DRV - [2005/08/01 18:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/12/01 13:53:18 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/12/01 13:53:18 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/12/31 23:45:47 | 000,001,500 | RH-- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TOSHIBA Volume Indicator] C:\Program Files\Toshiba\Utilities\VolControl.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - Startup: C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Preston\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FCE00225-F6A3-42B7-9AFF-64CDC15BEB8E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Toshiba-1.JPG
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Toshiba-1.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/03/28 12:31:42 | 000,000,176 | RHS- | M] () - E:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2009/03/28 12:31:44 | 000,000,000 | RHSD | M] - E:\AutoRun -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/31 21:46:52 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/12/31 19:58:54 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
[2011/12/31 18:50:06 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Local\temp
[2011/12/31 18:42:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/31 18:01:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/31 18:01:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/31 18:01:18 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/31 18:01:11 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/31 18:01:11 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/31 17:58:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/31 17:57:28 | 004,358,797 | R--- | C] (Swearware) -- C:\Users\Preston\Desktop\ComboFix.exe
[2011/12/31 16:44:01 | 004,702,720 | ---- | C] (AVAST Software) -- C:\Users\Preston\Desktop\aswMBR.exe
[2011/12/30 22:36:17 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Preston\Desktop\dds.scr
[2011/12/30 22:04:59 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Malwarebytes
[2011/12/30 22:03:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/30 22:03:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/30 22:03:35 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/12/30 22:03:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/30 22:02:19 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Preston\Desktop\tdsskiller.exe
[2011/12/30 22:02:14 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Preston\Desktop\mbam-setup-1.60.0.1800.exe
[2011/12/30 20:55:15 | 000,000,000 | R--D | C] -- C:\Users\Preston\Dropbox
[2011/12/30 20:52:34 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2011/12/30 20:49:56 | 000,000,000 | ---D | C] -- C:\Users\Preston\AppData\Roaming\Dropbox
[2011/12/13 21:31:26 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2007/10/14 19:35:00 | 000,040,960 | ---- | C] ( ) -- C:\Windows\OMNIUNS.EXE

========== Files - Modified Within 30 Days ==========

[2012/01/01 00:40:18 | 000,000,622 | ---- | M] () -- C:\Users\Preston\Desktop\TakeOwnership.zip
[2011/12/31 23:59:24 | 000,606,602 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/31 23:59:24 | 000,105,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/31 23:51:46 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 23:51:45 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/31 23:51:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/31 23:51:30 | 2137,186,304 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/31 23:45:47 | 000,001,500 | RH-- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/12/31 22:42:42 | 000,001,130 | ---- | M] () -- C:\Users\Preston\Desktop\OTL_script2
[2011/12/31 21:03:04 | 000,003,213 | ---- | M] () -- C:\Users\Preston\Desktop\OTL_script
[2011/12/31 20:55:22 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Preston\Desktop\OTL.exe
[2011/12/31 18:56:38 | 004,358,797 | R--- | M] (Swearware) -- C:\Users\Preston\Desktop\ComboFix.exe
[2011/12/31 17:53:34 | 000,000,512 | ---- | M] () -- C:\Users\Preston\Desktop\MBR.dat
[2011/12/31 01:23:14 | 004,702,720 | ---- | M] (AVAST Software) -- C:\Users\Preston\Desktop\aswMBR.exe
[2011/12/30 23:31:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Preston\Desktop\dds.scr
[2011/12/30 23:30:28 | 000,302,592 | ---- | M] () -- C:\Users\Preston\Desktop\GMER.exe
[2011/12/30 22:45:34 | 204,260,992 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/30 22:03:42 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 20:55:15 | 000,000,954 | ---- | M] () -- C:\Users\Preston\Desktop\Dropbox.lnk
[2011/12/30 20:53:22 | 000,000,934 | ---- | M] () -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/12/29 11:34:38 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Preston\Desktop\tdsskiller.exe
[2011/12/29 11:32:52 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Preston\Desktop\mbam-setup-1.60.0.1800.exe
[2011/12/25 07:03:52 | 000,002,609 | ---- | M] () -- C:\Users\Preston\Desktop\Microsoft Office Word 2003.lnk
[2011/12/24 06:32:19 | 000,000,112 | ---- | M] () -- C:\ProgramData\Km03YTDm.dat
[2011/12/14 03:37:44 | 000,335,016 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2011/12/31 23:41:44 | 000,000,622 | ---- | C] () -- C:\Users\Preston\Desktop\TakeOwnership.zip
[2011/12/31 22:52:49 | 2137,186,304 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/31 21:43:12 | 000,001,130 | ---- | C] () -- C:\Users\Preston\Desktop\OTL_script2
[2011/12/31 19:58:58 | 000,003,213 | ---- | C] () -- C:\Users\Preston\Desktop\OTL_script
[2011/12/31 18:01:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/31 18:01:18 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/31 18:01:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/31 18:01:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/31 18:01:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/31 17:53:34 | 000,000,512 | ---- | C] () -- C:\Users\Preston\Desktop\MBR.dat
[2011/12/30 22:36:12 | 000,302,592 | ---- | C] () -- C:\Users\Preston\Desktop\GMER.exe
[2011/12/30 22:03:42 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/30 21:35:20 | 000,001,659 | ---- | C] () -- C:\Users\Preston\Desktop\Command Prompt.lnk
[2011/12/30 20:55:15 | 000,000,954 | ---- | C] () -- C:\Users\Preston\Desktop\Dropbox.lnk
[2011/12/30 20:53:22 | 000,000,934 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/12/24 05:09:30 | 000,000,112 | ---- | C] () -- C:\ProgramData\Km03YTDm.dat
[2011/01/09 13:13:00 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2011/01/05 22:23:18 | 000,077,378 | ---- | C] () -- C:\Windows\hpqins05.dat
[2010/12/25 19:38:26 | 000,002,979 | ---- | C] () -- C:\Windows\hpwmdl22.dat.temp
[2010/12/22 22:35:00 | 000,024,064 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\UserTile.png
[2010/12/01 13:41:10 | 000,188,894 | ---- | C] () -- C:\Windows\hpwins22.dat
[2009/10/21 17:39:54 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/21 17:39:54 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2008/12/01 17:14:32 | 000,038,415 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\Comma Separated Values (Windows).ADR
[2008/11/30 20:45:24 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2008/11/14 07:13:37 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/10/25 03:40:22 | 000,002,979 | ---- | C] () -- C:\Windows\hpwmdl22.dat
[2008/05/18 16:35:14 | 000,000,103 | ---- | C] () -- C:\Windows\System32\hptrace.ini
[2008/05/18 16:34:29 | 000,011,624 | ---- | C] () -- C:\Windows\hpdj5800.ini
[2008/02/11 18:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/09/21 13:12:03 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/04/20 18:33:32 | 000,000,000 | ---- | C] () -- C:\Users\Preston\AppData\Roaming\wklnhst.dat
[2007/04/06 09:07:25 | 000,027,648 | ---- | C] () -- C:\Users\Preston\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/30 18:57:36 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2006/11/30 18:27:17 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2006/11/30 18:27:17 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2006/11/30 18:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2006/11/30 18:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2006/11/30 18:27:17 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2006/11/30 18:27:17 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2006/11/30 18:02:13 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2006/11/30 18:02:13 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2006/11/30 18:02:13 | 000,009,484 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2006/11/30 18:02:13 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2006/11/06 13:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,335,016 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,606,602 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,105,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/31 19:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/08/10 17:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll
[2006/03/09 12:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/22 23:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/09/02 17:25:41 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\DeLorme
[2011/12/31 23:53:17 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Dropbox
[2011/07/28 08:09:13 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\InterVideo
[2010/12/22 22:34:59 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\PeerNetworking
[2010/01/06 14:22:18 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Smith Micro
[2007/04/20 18:33:49 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Template
[2008/09/12 08:05:23 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Toshiba
[2008/03/27 14:01:31 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\Ulead Systems
[2007/04/06 09:08:29 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\WildTangent
[2011/04/13 17:28:06 | 000,000,000 | ---D | M] -- C:\Users\Preston\AppData\Roaming\WinBatch
[2011/12/31 23:50:23 | 000,032,612 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

 

[Broni]

Looks good

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[Wigie]

Latest scans

Happy New Year!

Following are the results of Security Check and ESET Online Scanner. My hopes were dimmed when I saw ESET find two infections... but it appears they were found in previously quarantined files. Whew. Hoping that this means I'll get the all-clear message from you.

checkup.txt:

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Microsoft Security Essentials
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````


ESET Scan:

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\i8042prt.sys.vir a variant of Win32/Rootkit.Kryptik.GG trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\i8042prt.sys.vir_ a variant of Win32/Rootkit.Kryptik.GG trojan cleaned by deleting - quarantined

 

[Broni]

Update Internet Explorer to version 9.

===========================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Wigie]

OTL cleanup; Windows Update error

I ran the OTL cleanup script; log posted below.

Now however, I'm having trouble running Windows Update. I keep getting Code 80096001, and the update process fails. Any help on getting past this latest hurdle would be appreciated!

OTL log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Preston
->Temp folder emptied: 52014 bytes
->Temporary Internet Files folder emptied: 162426126 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 314240 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 155.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Preston
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 01022012_114652

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Broni]

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[Wigie]

FSS.txt log

Farbar Service Scanner
Ran by Preston (administrator) on 02-01-2012 at 19:25:24
MicrosoftÆ Windows Vistaô Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-12 20:53] - [2011-09-20 15:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll
[2009-10-21 17:38] - [2009-04-11 00:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-21 17:40] - [2009-04-11 00:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll
[2009-10-21 17:40] - [2009-04-11 00:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

C:\Windows\system32\cryptsvc.dll
[2009-10-21 17:39] - [2009-04-11 00:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

[Broni]

Your Windows updates settings look fine, but I can see some problems with Windows firewall.
See if you access its settings and if Windows firewall is on.

 

[Wigie]

Firewall unhappy

Hi Broni,

I tried accessing Windows Firewall w/o success. I'm told the service isn't running.
If I try showing the settings, I get "Due to an unidentified problem, Windows cannot display Windows Firewall settings."

If I try "Update settings now", I get "Windows Firewall was unable to make the requested updates."

EDIT: Followed your instructions on http://www.smartestcomputing.us.com/topic/49542-cant-start-windows-firewall%3B-windows-firewall-service-missing-fix/ for re-enabling the firewall. Windows Firewall now appears to work.

However, Windows Update is still crapping out with error "80096001"...

 

[Broni]

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download Vista.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Right click on bfe.reg file, click "Merge".
Allow registry merge.
Right click on mpssvc.reg file, click "Merge".
Allow registry merge.

Restart computer.

Click Start and in "Start search" type in:
regedit
Press Enter.

Registry editor will open.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
Right click on BFE key, click "Permissions"
Click on Add button, type Everyone and click OK.
Now click once on Everyone
Below, in "Permissions" pane checkmark "Alow" in "Full control" row.
Click OK.

In a set of files you downloaded in previous step find start_services.bat.
Right click on it, click "Run As Administrator" to run the fix.
Command prompt black window will pop-up for a split second and it'll disappear. That's normal.

Check on firewall issue and post new FSS log

 

[Wigie]

New FSS Log

Farbar Service Scanner
Ran by Preston (administrator) on 02-01-2012 at 20:32:04
MicrosoftÆ Windows Vistaô Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-12 20:53] - [2011-09-20 15:02] - 0913280 ____A (Microsoft Corporation) 16731B631F28F63CD9F4CB60940E7DDD

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll
[2009-10-21 17:38] - [2009-04-11 00:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-21 17:40] - [2009-04-11 00:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll
[2009-10-21 17:40] - [2009-04-11 00:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

C:\Windows\system32\cryptsvc.dll
[2009-10-21 17:39] - [2009-04-11 00:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****