Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting to Epoclick, ChinaonTV, other windows opening


  • This topic is locked This topic is locked
38 replies to this topic

#1 leapbabe

leapbabe

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 09 November 2010 - 04:40 PM

For the last couple weeks, my computer (using either Firefox or Chrome) has been redirecting pages to Epoclick and ChinaonTV, as well as opening separate windows on other, non-searched-for topics. Pages are also taking a tad too long to load. Scans with Microsoft Security Essentials come back clean. I realize I should have more security (I recently did a clean reinstall and am perplexed as to what to install beyond MSE), and once this infection is cleared up, I would appreciate any advice on what to install and how to protect my computer from future attacks. Thank you!


DDS (Ver_10-11-09.01) - NTFSx86
Run by JanetByTheSea at 15:35:11.95 on Tue 11/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2068 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\WacomTouchService.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\WINDOWS\system32\WTouchUser.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\TTPDSRV.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [WTouchUser] c:\windows\system32\WTouchUser.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286952886150
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\abz6rrw1.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2008-6-6 127520]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2008-6-6 86560]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-23 5888]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\shadowprotect\ShadowProtectSvc.exe [2008-6-6 1239584]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-23 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [2007-11-23 73728]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-5 1464856]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-6-6 69664]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2008-6-5 95528]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-24 36608]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2007-11-23 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-23 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-2-22 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-6-5 30248]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

=============== Created Last 30 ================

2010-11-09 19:41:02 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7b0f2b67-6fc5-4ed3-b4eb-f27cac680024}\mpengine.dll
2010-11-08 07:34:26 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-08 07:27:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-08 07:27:42 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-16 14:53:10 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-10-16 14:53:10 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-10-15 06:35:48 -------- d-----w- c:\program files\common files\Macrovision Shared
2010-10-14 22:56:49 -------- d-----w- c:\program files\Picasa3
2010-10-14 20:01:47 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-14 20:01:47 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 20:01:46 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 20:00:58 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-10-14 19:49:38 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-14 19:23:00 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-10-14 05:59:35 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-10-14 05:48:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-10-14 05:47:36 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-10-14 05:42:47 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-10-14 05:42:46 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-10-14 05:42:09 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-10-14 05:40:46 -------- d-----w- c:\windows\system32\scripting
2010-10-14 05:40:46 -------- d-----w- c:\windows\system32\en
2010-10-14 05:40:46 -------- d-----w- c:\windows\system32\bits
2010-10-14 05:40:46 -------- d-----w- c:\windows\l2schemas
2010-10-14 05:37:47 -------- d-----w- c:\windows\network diagnostic
2010-10-14 05:30:56 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-10-14 05:17:39 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-10-14 04:55:05 -------- d-----w- c:\windows\ServicePackFiles
2010-10-14 04:52:39 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-10-14 04:49:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-10-14 04:49:46 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-10-14 04:43:54 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-10-13 18:44:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-10-13 18:44:20 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-10-13 18:41:54 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-10-13 18:41:30 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-10-13 18:41:13 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-10-13 18:39:56 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-10-13 18:39:56 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-10-13 18:39:39 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-10-13 18:36:48 -------- d-----w- c:\windows\system32\PreInstall
2010-10-13 08:05:32 -------- d-----w- c:\windows\system32\LogFiles
2010-10-13 08:01:05 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\PCHealth
2010-10-13 07:16:04 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Temp
2010-10-13 05:53:36 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\WMTools Downloaded Files
2010-10-13 04:43:22 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 04:12:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-13 04:06:27 -------- d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-11-08 07:27:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-27 20:57:44 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52:32 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52:32 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 15:39:17.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 16 November 2010 - 09:52 AM

Hello leapbabe

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate.If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thank you for your patience!!

---------------------------------------------------
We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In your next reply please include the following:

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


Thanks!!
PW

#3 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 17 November 2010 - 09:20 AM

I understand, the forum is a busy place! In the last week, the computer's symptoms became so severe (redirecting to Epoclick, CHinaonTV, other random pages, new windows opening up, etc.) that I installed some programs recommended in this site's forum. I have added Spybot and Ad-Aware, and to Firefox I've installed NoScript and AdBlocker Plus add-ons, all since my first post. Since then I haven't had any redirect or pop-up problems, but not convinced the computer is clean. Today on start up, the command prompt window was open - that's new and unnerving. I've re-run the DDS and GMER logs to account for any changes (as you advised me to do) and have also run the OTL log. Everything is pasted or attached, as instructed. Thank you for your time!

Attached File  ark.log   2.17KB   4 downloadsI should mention that my computer was infected with something that ultimately lead to a clean reinstall, the beginning of October (came into contact with an infected USB flash drive). I have no idea if any of my problems in the last month are residuals of the initial infection, or new since the reinstall. Just offering full disclosure since I have no idea what is or is not relevant.

Janet


DDS (Ver_10-11-09.01) - NTFSx86
Run by JanetByTheSea at 8:16:52.78 on Wed 11/17/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.1752 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\WacomTouchService.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\System32\TTPDSRV.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\WINDOWS\system32\WTouchUser.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB9581] command.com /c del "c:\windows\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD9563] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [WTouchUser] c:\windows\system32\WTouchUser.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA2382] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC3095] cmd.exe /c del "c:\windows\SchedLgU.Txt"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286952886150
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\abz6rrw1.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-13 64288]
R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2008-6-6 127520]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2008-6-6 86560]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-23 5888]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\shadowprotect\ShadowProtectSvc.exe [2008-6-6 1239584]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-23 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [2007-11-23 73728]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-5 1464856]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-6-6 69664]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2008-6-5 95528]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-24 36608]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2007-11-23 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-23 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-2-22 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-6-5 30248]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

=============== Created Last 30 ================

2010-11-17 12:06:40 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{29b08de2-a61d-4e07-b2b4-31eac732fe25}\mpengine.dll
2010-11-13 20:24:59 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-13 18:20:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 18:20:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 18:15:13 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-13 18:15:10 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-13 18:05:28 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Sunbelt Software
2010-11-13 18:04:02 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-13 18:03:34 -------- d-----w- c:\program files\Lavasoft
2010-11-08 07:34:26 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-08 07:27:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-08 07:27:42 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2010-11-08 07:27:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 20:57:44 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52:32 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52:32 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 8:17:39.31 ===============


laceOTL logfile created on: 11/17/2010 8:59:56 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 3092 3092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 365.15 Gb Total Space | 309.45 Gb Free Space | 84.75% Space Free | Partition Type: NTFS
Drive D: | 100.61 Gb Total Space | 91.44 Gb Free Space | 90.88% Space Free | Partition Type: NTFS

Computer Name: SPASMOLYTIC | User Name: JanetByTheSea | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/17 08:59:06 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/11/16 13:17:06 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/11/16 13:17:03 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/10/27 01:10:10 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/10/27 01:10:00 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/15 01:35:48 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/09/15 06:34:02 | 001,094,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 23:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/10/14 23:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/04/21 16:30:28 | 000,069,664 | ---- | M] (StorageCraft Technology Corporation) -- C:\WINDOWS\system32\vsnapvss.exe
PRC - [2008/04/21 16:30:22 | 001,239,584 | ---- | M] (StorageCraft Technology Corporation) -- C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
PRC - [2008/04/13 19:12:40 | 000,293,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wisptis.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/12 19:23:02 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TTPDSRV.exe
PRC - [2007/11/01 16:11:56 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSODDCtl.exe
PRC - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2007/10/16 12:10:34 | 000,315,392 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2007/10/15 11:42:44 | 000,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2007/10/12 15:10:48 | 000,806,912 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
PRC - [2007/10/08 16:27:02 | 000,794,624 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/10/08 16:18:04 | 000,995,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/10/08 16:13:36 | 001,101,824 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/10/08 16:09:26 | 000,659,456 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/10/08 16:06:44 | 001,183,744 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/10/08 16:01:54 | 000,483,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/09/29 18:33:48 | 000,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2007/09/27 17:15:14 | 000,095,528 | ---- | M] () -- C:\WINDOWS\system32\WacomTouchService.exe
PRC - [2007/09/27 17:12:52 | 000,107,816 | ---- | M] () -- C:\WINDOWS\system32\WTouchUser.exe
PRC - [2007/09/07 18:11:28 | 000,531,072 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\ThpSrv.exe
PRC - [2007/08/28 18:09:56 | 001,464,856 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/08/28 18:09:52 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/08/28 18:09:46 | 000,121,368 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/08/22 20:26:00 | 000,258,048 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\00THotkey.exe
PRC - [2007/07/19 18:27:18 | 004,765,184 | ---- | M] () -- C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
PRC - [2007/05/22 12:50:02 | 000,413,696 | ---- | M] (Chicony) -- C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
PRC - [2007/04/13 21:16:16 | 000,311,296 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe
PRC - [2007/04/09 21:07:02 | 000,159,744 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/02/26 00:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2006/08/09 22:48:08 | 000,344,144 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TAudEffect\TAudEff.exe
PRC - [2006/07/20 22:49:32 | 000,327,680 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSHIBA Rotation Utility\TRot.exe
PRC - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2006/04/26 20:35:02 | 000,090,112 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMERzCtl.exe
PRC - [2006/04/10 21:14:52 | 000,622,592 | ---- | M] (TOSHIBA Corp.) -- C:\WINDOWS\system32\TFNF5.exe
PRC - [2006/03/16 16:58:00 | 000,974,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2005/12/14 15:00:32 | 000,126,976 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMESRV31.exe
PRC - [2005/11/29 23:45:36 | 000,188,416 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
PRC - [2005/06/28 23:43:00 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TouchED\TouchED.exe
PRC - [2005/05/17 14:42:02 | 000,049,152 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
PRC - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2004/12/30 03:32:20 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2004/12/16 14:56:52 | 000,090,112 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
PRC - [2004/06/30 19:29:34 | 000,049,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Acceleration Utilities\Shaker\TSkrMain.exe
PRC - [2004/02/24 18:57:32 | 000,077,824 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TME3\TMETEMnu.exe
PRC - [2002/08/29 06:41:28 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tabbtnu.exe


========== Modules (SafeList) ==========

MOD - [2010/11/17 08:59:06 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:12:06 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\sptip.dll
MOD - [2008/04/13 19:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 19:11:58 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msctfp.dll
MOD - [2008/04/13 11:43:18 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\spgrmr.dll
MOD - [2002/08/29 06:41:08 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Journal\nbmaptip.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/16 13:17:03 | 001,375,992 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/10/15 01:35:48 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/25 23:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/04/21 16:30:28 | 000,069,664 | ---- | M] (StorageCraft Technology Corporation) [Auto | Running] -- C:\WINDOWS\system32\vsnapvss.exe -- (VSNAPVSS)
SRV - [2008/04/21 16:30:22 | 001,239,584 | ---- | M] (StorageCraft Technology Corporation) [Auto | Running] -- C:\Program Files\ShadowProtect\ShadowProtectSvc.exe -- (ShadowProtectSvc)
SRV - [2007/11/12 19:23:02 | 000,073,728 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TTPDSRV.exe -- (TTPDSrv)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/10/08 16:27:02 | 000,794,624 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/10/08 16:06:44 | 001,183,744 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/10/08 16:01:54 | 000,483,328 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/09/27 17:15:14 | 000,095,528 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\WacomTouchService.exe -- (WacomTouchService)
SRV - [2007/09/07 18:11:28 | 000,531,072 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\ThpSrv.exe -- (Thpsrv)
SRV - [2007/08/28 18:09:56 | 001,464,856 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/08/28 18:09:52 | 000,182,808 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/08/28 18:09:46 | 000,121,368 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/02/26 00:55:18 | 000,125,048 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2005/12/14 15:00:32 | 000,126,976 | ---- | M] (TOSHIBA) [Auto | Running] -- C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe -- (Tmesrv)
SRV - [2005/01/17 19:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\tbiosdrv.sys -- (tbiosdrv)
DRV - [2010/11/13 13:15:04 | 000,015,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/09/23 02:46:08 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/12/18 11:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2008/04/21 16:30:30 | 000,086,560 | ---- | M] (StorageCraft Technology Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\sbmount.sys -- (sbmount)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/07 18:00:00 | 000,127,520 | ---- | M] (StorageCraft Technology Corporation) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\stcvsm.sys -- (stcvsm)
DRV - [2007/11/06 18:25:36 | 000,101,888 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/11/01 17:38:56 | 004,620,288 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/09/26 08:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/09/06 19:28:44 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/08/27 13:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/07/30 16:44:58 | 000,030,248 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wisdpen.sys -- (wisdpen)
DRV - [2007/07/12 13:41:52 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/06/05 17:48:58 | 005,761,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/04/27 13:19:00 | 000,021,120 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\thpdrv.sys -- (Thpdrv)
DRV - [2007/04/16 12:19:10 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/04/13 16:33:34 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/03/26 15:22:18 | 000,105,856 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2007/03/09 18:23:18 | 000,006,528 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Thpevm.SYS -- (Thpevm)
DRV - [2007/02/22 18:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/02/22 16:55:10 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WacomVTHid.sys -- (WacomVTHid)
DRV - [2007/02/21 21:20:36 | 000,435,072 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TEchoCan.sys -- (TEchoCan)
DRV - [2007/02/19 15:15:32 | 000,134,016 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\trudf.sys -- (trudf)
DRV - [2007/02/15 19:44:00 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\TVALZ.SYS -- (TVALZ)
DRV - [2007/02/12 16:36:54 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/01/24 17:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2007/01/23 06:13:26 | 000,036,608 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2004/06/16 14:08:48 | 000,005,888 | ---- | M] (Toshiba Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TMEI3E.sys -- (TMEI3E)
DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2002/09/13 01:48:50 | 000,008,832 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\TBtnKey.sys -- (TBtnKey)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
IE - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0.5.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/04 23:42:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/08 02:27:42 | 000,000,000 | ---D | M]

[2010/11/04 23:42:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/11/17 07:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\abz6rrw1.default\extensions
[2010/11/06 02:17:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\abz6rrw1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/13 12:45:52 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\abz6rrw1.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/11/13 12:45:52 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\abz6rrw1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/17 07:06:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/08 02:27:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/08 02:27:30 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/13 13:34:19 | 000,425,401 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14658 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [000StTHK] C:\WINDOWS\System32\000StTHK.exe ()
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe (TOSHIBA)
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe ()
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SpybotSnD] C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (Safer Networking Limited)
O4 - HKLM..\Run: [TabletWizard] C:\WINDOWS\Help\splshwrp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TAcelMgr] C:\Program Files\Toshiba\Acceleration Utilities\TAcelMgr\TAcelMgr.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe (TOSHIBA)
O4 - HKLM..\Run: [TFncKy] File not found
O4 - HKLM..\Run: [TFNF5] C:\WINDOWS\System32\TFNF5.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [ThpSrv] C:\WINDOWS\System32\thpsrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE (TOSHIBA)
O4 - HKLM..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE (TOSHIBA)
O4 - HKLM..\Run: [TOSDCR] C:\WINDOWS\System32\TOSDCR.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe (TOSHIBA CORPORATION)
O4 - HKLM..\Run: [TouchED] C:\Program Files\Toshiba\TouchED\TouchED.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPSODDCtl] C:\WINDOWS\System32\TPSODDCtl.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TRot.exe] c:\Program Files\Toshiba\TOSHIBA Rotation Utility\TRot.exe (TOSHIBA)
O4 - HKLM..\Run: [TSkrMain] C:\Program Files\Toshiba\Acceleration Utilities\Shaker\TSkrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [WTouchUser] C:\WINDOWS\system32\WTouchUser.exe ()
O4 - HKU\S-1-5-19..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
O4 - HKU\S-1-5-20..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
O4 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKLM..\RunOnce: [SpybotDeletingA2382] C:\WINDOWS\System32\command.com ()
O4 - HKLM..\RunOnce: [SpybotDeletingC3095] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500..\RunOnce: [SpybotDeletingB9581] C:\WINDOWS\System32\command.com ()
O4 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500..\RunOnce: [SpybotDeletingD9563] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286952886150 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.66.19 213.109.73.6 1.1.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)
O20 - Winlogon\Notify\TosBtNP: DllName - TosBtNP.dll - C:\WINDOWS\System32\TosBtNP.dll (TOSHIBA CORPORATION)
O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)
O20 - Winlogon\Notify\TSigNP: DllName - TSigNP.dll - C:\WINDOWS\System32\TSigNP.dll (TOSHIBA)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/23 21:59:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/17 08:59:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/13 13:20:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/11/13 13:20:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/11/13 13:15:13 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/11/13 13:15:10 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/11/13 13:05:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Sunbelt Software
[2010/11/13 13:04:02 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
[2010/11/13 13:03:34 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/11/13 13:03:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/11/09 23:06:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\BleepingComputer
[2010/11/08 02:34:26 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2010/11/08 02:33:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2010/11/08 02:28:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/11/08 02:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/11/08 02:27:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/08 02:27:42 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/08 02:27:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/08 02:27:42 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/04 23:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/11/04 23:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/11/04 23:42:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/10/28 23:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/10/25 02:20:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2007/11/23 23:17:53 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\BrigthDL.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/17 08:59:06 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/17 08:27:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3216077674-4108253007-1749197675-500UA.job
[2010/11/17 07:31:33 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/11/17 07:15:33 | 000,000,171 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/11/17 06:59:06 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/11/17 06:59:04 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Scan (Daily Scan).job
[2010/11/17 06:55:02 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy.job
[2010/11/17 06:55:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/17 06:54:58 | 3211,628,544 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/16 04:00:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Security Essentials.job
[2010/11/15 00:27:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3216077674-4108253007-1749197675-500Core.job
[2010/11/13 15:33:10 | 000,031,260 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Basic Health International_ResearchAdmin..pdf
[2010/11/13 15:22:57 | 000,028,135 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NYCDH_chart review..pdf
[2010/11/13 15:11:04 | 000,032,990 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Human Services Council_public policy..pdf
[2010/11/13 14:59:29 | 000,028,935 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Literate Africa_grant writer.pdf
[2010/11/13 14:03:44 | 000,000,989 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/13 14:03:44 | 000,000,971 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/11/13 13:34:19 | 000,425,401 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/11/13 13:29:28 | 000,425,401 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20101113-133419.backup
[2010/11/13 13:15:10 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/11/13 13:04:01 | 000,000,893 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/11/13 13:04:01 | 000,000,875 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/11/11 01:29:16 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Veggie list.rtf
[2010/11/09 23:03:50 | 000,000,180 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\firefox add ons.rtf
[2010/11/09 15:31:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/11/08 19:20:32 | 000,001,975 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\NYAM_effective presentations.rtf
[2010/11/08 16:03:37 | 000,000,812 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/11/08 02:27:29 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/11/08 02:27:29 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/11/08 02:27:29 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/11/08 02:27:29 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/11/08 02:27:28 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/11/07 13:54:13 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/07 13:54:13 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/04 23:42:41 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/11/04 23:42:35 | 000,001,628 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/29 18:38:11 | 000,006,834 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Huff Bus_Janet.pdf
[2010/10/27 14:10:54 | 000,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/19 15:51:33 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/15 21:01:59 | 000,000,171 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/11/14 14:35:38 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\Microsoft Security Essentials.job
[2010/11/13 15:33:10 | 000,031,260 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Basic Health International_ResearchAdmin..pdf
[2010/11/13 15:26:24 | 000,000,466 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Scan (Daily Scan).job
[2010/11/13 15:24:59 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/11/13 15:22:57 | 000,028,135 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NYCDH_chart review..pdf
[2010/11/13 15:11:04 | 000,032,990 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Human Services Council_public policy..pdf
[2010/11/13 14:59:29 | 000,028,935 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Literate Africa_grant writer.pdf
[2010/11/13 13:56:57 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/11/13 13:52:26 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy.job
[2010/11/13 13:20:15 | 000,000,989 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/13 13:20:15 | 000,000,971 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/11/13 13:15:42 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/11/13 13:04:01 | 000,000,893 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2010/11/13 13:04:01 | 000,000,875 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/11/11 01:29:16 | 000,000,318 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Veggie list.rtf
[2010/11/09 23:03:50 | 000,000,180 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\firefox add ons.rtf
[2010/11/09 15:31:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/11/08 19:20:31 | 000,001,975 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\NYAM_effective presentations.rtf
[2010/11/08 16:45:01 | 3211,628,544 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/08 16:03:37 | 000,000,812 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/11/04 23:42:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/04 23:42:35 | 000,001,628 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/29 18:38:11 | 000,006,834 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Huff Bus_Janet.pdf
[2009/11/03 01:07:15 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2008/06/06 00:03:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/05 23:57:42 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2008/06/05 23:57:42 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2008/06/05 23:57:42 | 000,010,150 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2008/06/05 23:57:42 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2008/06/05 23:49:53 | 000,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/06/05 23:49:53 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2007/11/23 23:52:48 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/11/23 23:52:48 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/11/23 23:52:48 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/11/23 23:52:48 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/11/23 23:52:48 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/11/23 23:52:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/11/23 23:32:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2007/11/23 23:08:57 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/11/23 21:56:09 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/11/23 20:45:40 | 000,000,339 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/11/23 13:54:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/12/05 16:05:04 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/23 00:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEC0D766

< End of report >


OTL Extras logfile created on: 11/17/2010 8:59:56 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 3092 3092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 365.15 Gb Total Space | 309.45 Gb Free Space | 84.75% Space Free | Partition Type: NTFS
Drive D: | 100.61 Gb Total Space | 91.44 Gb Free Space | 90.88% Space Free | Partition Type: NTFS

Computer Name: SPASMOLYTIC | User Name: JanetByTheSea | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0577A2AA-DEA0-4D40-8372-4211102D43E4}" = TOSHIBA Mic Effect
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1E63ACB5-D45E-4856-8FC9-78F4B0D7BB80}" = TOSHIBA Security Assist
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{24300A63-DD78-4AA5-A914-4D582C41D33A}" = TOSHIBA TouchPad On/Off Utility V2.5.1.0
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{3B8D9FA4-745C-47C9-962D-4ABE6ACE136B}" = TOSHIBA Mobile Extension3
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{400830CA-F056-4BBE-80A3-9DF9CA4FB889}" = TOSHIBA Direct Disc Writer
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B4E8814-F682-4197-8F4B-E9FFC6F08977}" = System Requirements Lab for Intel
"{56190F69-01D3-46CA-9861-43377C5E9B87}" = TOSHIBA Utilities
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{6A240B5B-2AD5-4255-9945-73E891C2B8D1}" = ShadowProtect Desktop
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7862BAD8-A379-4128-8AA1-EFD5A9603C53}" = Wireless Hotkey
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{8850DEC8-22FD-4F05-A3AA-49B91200C24F}" = ShadowProtect Desktop
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ONENOTER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ONENOTER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ONENOTER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ONENOTER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ONENOTER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ONENOTER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91120000-00A1-0000-0000-0000000FF1CE}" = Microsoft Office OneNote 2007
"{91120000-00A1-0000-0000-0000000FF1CE}_ONENOTER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00A1-0000-0000-0000000FF1CE}_ONENOTER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{94A90C69-71C1-470A-88F5-AA47ECC96B40}" = TOSHIBA HDD Protection
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9ACBDDE2-DD2D-4103-8ECE-D1A9F7F03D1A}" = TOSHIBA Power Saver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Franšais, Deutsch
"{AC971CEE-1480-479D-81AF-1CB4D10467B0}" = TOSHIBA Tablet Access Code Logon Utility
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Disc Creator
"{BBF5493A-05FB-4449-90DE-84A61EB78154}" = TOSHIBA SD Memory Boot Utility
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0FC3B56-E345-40CD-A5CB-7EB791CE3E74}" = TOSHIBA Password Utility
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{DB780B85-B4B5-4864-A49C-9B706B169C93}" = TIPCI
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF9A74FD-6C54-4B04-8D27-001AEE5A6476}" = TOSHIBA Rotation Utility
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}" = TOSHIBA SD Memory Utilities
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{FC4C645F-8EBC-4F1E-A517-D1505B43A374}" = TOSHIBA Wireless Key Logon
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 8 Professional - English, Franšais, Deutsch" = Adobe Acrobat 8.1.4 Professional
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"InstallShield_{56190F69-01D3-46CA-9861-43377C5E9B87}" = TOSHIBA Utilities
"InstallShield_{9ACBDDE2-DD2D-4103-8ECE-D1A9F7F03D1A}" = TOSHIBA Power Saver
"InstallShield_{C0FC3B56-E345-40CD-A5CB-7EB791CE3E74}" = TOSHIBA Password Utility
"InstallShield_{DB780B85-B4B5-4864-A49C-9B706B169C93}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"MESOL" = Intel® Active Management Technology Device Software
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ONENOTER" = Microsoft Office OneNote 2007
"Picasa 3" = Picasa 3
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® PRO Network Connections Drivers
"Tablet Driver" = Wacom Tablet
"TDspBtn" = TOSHIBA Display Devices Change Utility
"TFNF5" = TOSHIBA Hotkey Utility for Display Devices
"TME" = Uninstall for TOSHIBA Mobile Extension3
"TOSHIBA Accelerometer Utilities" = TOSHIBA Accelerometer Utilities
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3216077674-4108253007-1749197675-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/5/2010 8:20:59 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1002
Description = Hanging application msseces.exe, version 1.0.2498.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2010 8:23:55 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1002
Description = Hanging application msseces.exe, version 1.0.2498.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/5/2010 8:23:59 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1001
Description = Fault bucket 2054880633.

Error - 11/6/2010 3:15:41 AM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/6/2010 3:15:43 AM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1001
Description = Fault bucket 734562961.

Error - 11/11/2010 8:03:42 PM | Computer Name = SPASMOLYTIC | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 11/13/2010 2:05:21 PM | Computer Name = SPASMOLYTIC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 11/15/2010 2:03:40 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/15/2010 2:03:47 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1001
Description = Fault bucket 1116954496.

Error - 11/15/2010 5:13:24 PM | Computer Name = SPASMOLYTIC | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/6/2010 7:53:13 AM | Computer Name = SPASMOLYTIC | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 11/6/2010 7:53:13 AM | Computer Name = SPASMOLYTIC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/6/2010 7:53:13 AM | Computer Name = SPASMOLYTIC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss sbmount Tcpip TMEI3E

Error - 11/6/2010 8:07:04 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 11/6/2010 8:15:24 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/6/2010 8:16:09 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/6/2010 8:16:18 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/6/2010 8:39:11 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 11/6/2010 8:39:16 AM | Computer Name = SPASMOLYTIC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/6/2010 9:49:47 AM | Computer Name = SPASMOLYTIC | Source = PlugPlayManager | ID = 12
Description = The device 'Wacom Penabled Dual Touch' (ACPI\WACF009\4&374ccb25&0)
disappeared from the system without first being prepared for removal.


< End of report >

Attached Files



#4 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 17 November 2010 - 09:22 AM

Whoa - no idea how Ark.log was attached in the message and Attach.txt is attached at the end, but they're both there for your reading pleasure. Thank you!

#5 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 18 November 2010 - 04:53 AM

Hello leapbabe,

Do you connect to the internet through a router?


Step 1.

We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Step 2.

You should never have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

In your case I notice that you have two antivirus programs installed. Lavasoft Ad-Watch Live! Anti-Virus and Microsoft Security Essentials .

I suggest you uninstall Lavasoft Ad-Watch Live! Anti-Virus via Add/Remove Programs. If you decide to keep Lavasoft Ad-Watch Live you will need to disable Lavasoft Ad-Watch
  • Click on the "Start" menu, select "All Programs," and then click "Ad-Adware" to launch the security program.
  • Click the "Switch to Advanced Mode" check-box and click on the "Settings" button. Then, select the "Ad-Watch" tab and uncheck all options under "Ad-Watch Live! Modules".
  • Click "OK" to save your changes. The Ad-Aware service is now disabled.

Step 3.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [TFncKy] File not found
    O4 - HKU\S-1-5-19..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
    O4 - HKU\S-1-5-20..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.66.19 213.109.73.6 1.1.1.1
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=-
    
    @Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEC0D766
    :commands
    [EmptyTemp]
    [RESETHOSTS]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Please flush the DNS:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
ipconfig /flushdns

Close the command box.

Step 4.

Please go to Start | Control Panel | Network Connections
  • Open Network Connections
  • Right click your default connection.
  • Click on Properties
Under the General tab in the Local Area Connection Properties Window
  • Double Click Internet Protocol (TCP/IP)
  • Click the two radio buttons that say
    • Obtain an IP address automatically
    • Obtain DNS server address automatically
  • Click OK
  • Click OK

Step 5.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply let me know about the router and please include the following:

OTLFix report
ComboFix.txt


How is your computer running?

Thanks!!
PW

#6 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 18 November 2010 - 04:58 PM

1) Disabled Spybot "Tea Timer" but left the other operating. I believe that's what you intended me to do, correct?

2) Uninstalled Ad-Aware/Lavasoft.

3) Attempted to run OTL fix and it froze my system; the program was unresponsive. I tried several times, not messing with it when I thought it was running. It wasn't ever running. Please advise.

3a) Flushed the DNS stuff

4) My TCP/IP settings - really not sure if you wanted me to make sure those 2 boxes were already checked, or to uncheck them. They were checked, so I left them alone. Please advise if you meant for them to be "unchecked."

5) Have downloaded ComboFix but will not run until you can advise me as to what to do regarding OTL. Not sure if these actions are meant to be performed in a certain order, so...

And yes, I use a wireless router.

#7 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 18 November 2010 - 07:29 PM

Hi leapbabe,

Attempted to run OTL fix and it froze my system; the program was unresponsive.

Hmm.. Not sure about this. OTL ran earlier with no problems.

It's been a long day. :wacko:

Let's try trunning the OTLFix again with some changes to the fix.

Step 1.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [TFncKy] File not found
    O4 - HKU\S-1-5-19..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
    O4 - HKU\S-1-5-20..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.66.19 213.109.73.6 1.1.1.1
    @Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BEC0D766
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=-
    
    :commands
    [EmptyTemp]
    [RESETHOSTS]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Step 2.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 3.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

In your next reply please include the following:

OTLFix report
MBAM log
ComboFix.txt


Thanks!!

Edited by pwgib, 18 November 2010 - 09:23 PM.
added instructions for OTL

PW

#8 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 19 November 2010 - 12:05 AM

Have pasted all logs below. MBAM came back clean. Have turned on Spybot and MSE again. Does this mean the computer is clean? I have NO IDEA what the various logs have to tell you, so looking forward to hearing back...


All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TFncKy not found.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\TabletWizard not found.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\TabletWizard not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
ADS C:\Documents and Settings\All Users\Application Data\TEMP:BEC0D766 deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 2073835 bytes
->Temporary Internet Files folder emptied: 1239747 bytes
->Java cache emptied: 1471334 bytes
->FireFox cache emptied: 76151138 bytes
->Google Chrome cache emptied: 479549605 bytes
->Flash cache emptied: 13031 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33041 bytes

User: NetworkService
->Temp folder emptied: 238706 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: temp
->Temp folder emptied: 660532 bytes
->Temporary Internet Files folder emptied: 163066 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 165974 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 7363381 bytes

Total Files Cleaned = 543.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 11182010_230541

Files\Folders moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log moved successfully.

Registry entries deleted on Reboot...


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/18/2010 11:22:40 PM
mbam-log-2010-11-18 (23-22-40).txt

Scan type: Quick scan
Objects scanned: 124469
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ComboFix 10-11-18.01 - JanetByTheSea 11/18/2010 23:50:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2348 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 04:13 . 2010-11-19 04:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-19 04:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 04:13 . 2010-11-19 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-19 04:13 . 2010-11-19 04:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 04:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 21:15 . 2010-11-18 21:15 -------- d-----w- C:\_OTL
2010-11-18 09:30 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{94FA5816-F8F1-4D0B-BE6D-AC1988B7A325}\mpengine.dll
2010-11-13 18:20 . 2010-11-13 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-11-13 18:20 . 2010-11-13 18:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 18:15 . 2010-11-13 18:15 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-13 18:05 . 2010-11-13 18:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sunbelt Software
2010-11-13 18:03 . 2010-11-18 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-13 18:03 . 2010-11-13 18:03 -------- d-----w- c:\program files\Lavasoft
2010-11-08 07:34 . 2010-11-08 07:34 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-08 07:33 . 2010-11-08 07:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2010-11-08 07:28 . 2010-11-08 07:28 -------- d-----w- c:\windows\Sun
2010-11-08 07:27 . 2010-11-08 07:27 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-05 04:42 . 2010-11-05 04:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-29 04:25 . 2010-10-29 04:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-10-25 07:20 . 2010-10-25 07:20 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-10 04:33 . 2010-10-14 05:17 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-08 07:27 . 2007-11-24 04:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-19 20:51 . 2010-10-13 04:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 20:57 . 2010-09-27 20:57 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52 . 2010-09-23 20:52 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52 . 2010-09-23 20:52 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23 . 2007-11-24 01:41 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2007-11-24 01:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2007-11-24 01:41 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2007-11-24 01:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2007-11-24 01:42 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2007-11-24 01:41 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2007-11-24 01:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2007-11-24 01:40 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2007-11-24 01:41 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51 . 2007-11-24 01:40 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2007-11-24 01:42 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2007-11-24 01:41 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2007-11-24 01:41 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2007-11-24 01:41 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-10-13 18:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2007-11-24 01:40 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-13 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-10-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-10-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-10-15 137752]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"WTouchUser"="c:\windows\system32\WTouchUser.exe" [2007-09-27 107816]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"CrossMenu"="c:\program files\TOSHIBA\CrossMenu\CrossMenu.exe" [2007-10-12 806912]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2007-08-23 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"NDSTray.exe"="NDSTray.exe" [BU]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2004-12-16 90112]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2004-07-01 49152]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TPSODDCtl"="TPSODDCtl.exe" [2007-11-01 126976]
"TPSMain"="TPSMain.exe" [2007-10-16 315392]
"TRot.exe"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2006-07-21 327680]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 11:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
2007-11-14 05:17 65536 ----a-w- c:\windows\system32\TSigNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [6/6/2008 12:16 AM 127520]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [6/6/2008 12:16 AM 86560]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/23/2007 11:34 PM 5888]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\ShadowProtect\ShadowProtectSvc.exe [6/6/2008 12:16 AM 1239584]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [11/23/2007 11:34 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [11/23/2007 11:09 PM 73728]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [6/5/2008 11:52 PM 1464856]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [6/6/2008 12:16 AM 69664]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [6/5/2008 11:54 PM 95528]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/24/2007 1:11 PM 36608]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [11/23/2007 11:45 PM 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/23/2007 11:33 PM 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2/22/2007 4:55 PM 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [6/5/2008 11:54 PM 30248]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
.
Contents of the 'Scheduled Tasks' folder

2010-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3216077674-4108253007-1749197675-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 07:15]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3216077674-4108253007-1749197675-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 07:15]

2010-11-18 c:\windows\Tasks\Microsoft Security Essentials.job
- c:\progra~1\MICROS~4\msseces.exe [2010-09-15 11:34]

2010-11-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-11-13 20:31]

2010-11-19 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2010-11-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\abz6rrw1.default\
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\windows\system32\TSigNP.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(1312)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-11-18 23:52:59
ComboFix-quarantined-files.txt 2010-11-19 04:52

Pre-Run: 332,983,717,888 bytes free
Post-Run: 332,943,478,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3E8D06392AE4EFAC91A9C4742E4D0DB4

#9 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 19 November 2010 - 01:26 PM

Hello leapbabe

Step 1.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Step 2.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *thpsrv
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
<<Note: If ESET finds nothing there will be no log produced

In your next reply please include the following:

SystemLook results
ESET scan results

How is your computer running? any redirections/popups?



Thanks!!
PW

#10 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 19 November 2010 - 04:24 PM

ESET online scan found no threats. The SystemLook log is pasted below. The computer seems to be running fine since installing and running Spybot, NoScript (though this add-on is annoying as all hell), and Ad Blocker Plus. Anything else you think I should add, change, remove, etc?

SystemLook 04.09.10 by jpshortstuff
Log created at 14:29 on 19/11/2010 by JanetByTheSea
Administrator - Elevation successful

========== filefind ==========

Searching for "*thpsrv"
No files found.

-= EOF =-

#11 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 19 November 2010 - 04:28 PM

Also, is it fine for me to remove/uninstall all the various programs used to scan my system (ComboFix, OTL, etc) now? As for Malwarebyte's Anti-Malware, is this something I should keep and run from time to time? Any thoughts or suggestions you may have regarding protecting my computer in the future is appreciated! Btw - Java is installed and updated.

#12 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 20 November 2010 - 06:53 AM

Hello leapbabe,

We are almost done but not quite there yet.

Step 1.

I made a mistake on the SystemLook script. Let's try again.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind 
    thpsrv*
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post SystemLook.txt

Step 2.

You may still have DDS on your desktop but if you don't then
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

In your next reply please include the following:

SystemLook.txt
DDS.txt<---------Post
Attach.txt<------attach

Note that I will be traveling 11-20 but will attempt to reply this evening. :thumbup2:


Thanks!!
PW

#13 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 20 November 2010 - 11:02 AM

Thank you for all your hard work!!!



SystemLook 04.09.10 by jpshortstuff
Log created at 10:49 on 20/11/2010 by JanetByTheSea
Administrator - Elevation successful

========== filefind ==========

Searching for "thpsrv*"
C:\Program Files\Toshiba\HDD Protection\ThpSrv.exe --a---- 531072 bytes [23:11 07/09/2007] [23:11 07/09/2007] 204EB6F82E3AAE0A50A7F136D716DDA3
C:\WINDOWS\system32\ThpSrv.exe --a---- 531072 bytes [23:11 07/09/2007] [23:11 07/09/2007] 204EB6F82E3AAE0A50A7F136D716DDA3

-= EOF =-


DDS (Ver_10-11-09.01) - NTFSx86
Run by JanetByTheSea at 10:53:02.15 on Sat 11/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.1780 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\WacomTouchService.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\ShadowProtect\ShadowProtectSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\WINDOWS\system32\WTouchUser.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\System32\TTPDSRV.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\vsnapvss.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB1271] command.com /c del "c:\windows\SchedLgU.Txt"
uRunOnce: [SpybotDeletingD3858] cmd.exe /c del "c:\windows\SchedLgU.Txt"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [WTouchUser] c:\windows\system32\WTouchUser.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [SpybotDeletingA5528] command.com /c del "c:\windows\SchedLgU.Txt"
mRunOnce: [SpybotDeletingC618] cmd.exe /c del "c:\windows\SchedLgU.Txt"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286952886150
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\abz6rrw1.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [2008-6-6 127520]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [2008-6-6 86560]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-23 5888]
R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\shadowprotect\ShadowProtectSvc.exe [2008-6-6 1239584]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-23 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [2007-11-23 73728]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-6-5 1464856]
R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [2008-6-6 69664]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2008-6-5 95528]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-24 36608]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2007-11-23 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-23 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-2-22 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-6-5 30248]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

=============== Created Last 30 ================

2010-11-20 07:33:55 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{0c81a30c-ea9c-411a-9b7d-f20e584e704e}\mpengine.dll
2010-11-19 19:36:26 -------- d-----w- c:\program files\ESET
2010-11-19 19:22:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-19 04:49:26 -------- d-sha-r- C:\cmdcons
2010-11-19 04:47:41 98816 ----a-w- c:\windows\sed.exe
2010-11-19 04:47:41 89088 ----a-w- c:\windows\MBR.exe
2010-11-19 04:47:41 256512 ----a-w- c:\windows\PEV.exe
2010-11-19 04:47:41 161792 ----a-w- c:\windows\SWREG.exe
2010-11-19 04:13:53 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-19 04:13:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 04:13:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 04:13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 04:13:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-18 21:15:06 -------- d-----w- C:\_OTL
2010-11-13 18:20:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 18:20:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-11-13 18:15:10 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-13 18:05:28 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Sunbelt Software
2010-11-13 18:03:34 -------- d-----w- c:\program files\Lavasoft
2010-11-08 07:34:26 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-08 07:27:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-08 07:27:42 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-27 20:57:44 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-23 20:52:32 922112 ------w- c:\windows\system32\imapi2fs.dll
2010-09-23 20:52:32 426496 ------w- c:\windows\system32\imapi2.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57:57 389120 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 10:54:05.50 ===============

Attached Files



#14 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:40 PM

Posted 21 November 2010 - 09:09 AM

Hello leapbabe,

Please reenable your Microsoft security Essentials. If you would rather use a different antivirus another free antivirus solution is Avira Antivir.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

You now appear to be all clean. :thumbsup:

We need to do a little house cleaning.

Step 1.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

Please advise if this step is missed for any reason as it performs some important functions.

Step 2.

Please open OTL
  • Double click on the Posted Image icon on your desktop.
  • Click the "Cleanup" checkbox.
  • You will be asked, "Begin Cleanup Process"
  • Select Yes
  • You will be prompted to restart your computer.
You can now uninstall any other programs we may have used and delete any logs that may have been generated.

Step 3.

Here are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however, by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. You can find microsoft updates here

I recommend that you visit the link above and either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

Make sure you use a firewall. A tutorial on understanding and using firewalls may be found here. For most users the built in Windows Firewall is sufficient. Only use one firewall at a time though.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

Any questions?

Thanks!!

Edited by pwgib, 21 November 2010 - 10:19 AM.

PW

#15 leapbabe

leapbabe
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 21 November 2010 - 05:33 PM

Excellent! One last, very quick question - Is there a difference between, say anti-virus software and anti-spyware? For instance, you and others mention not to run more than one anti-virus program on my computer, and I understand the reason for this, yet I have difficulty seeing the difference between programs that do seem ok to use on the same computer. (Example: Spybot, MBAM, MSE...)

Also, I re-enabled the CD emmulation thingy that was disabled at the very beginning...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users