Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
35 replies to this topic

#1 firemantcook

firemantcook

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 14 April 2012 - 09:35 AM

I'm having a problem with a redirect virus. Computer is now running very slow. I tried to restore to an earlier time and when I rebooted files where either hidden or totally gone. All pics and documents where gone. I also get a message when I shut the computer down that I have a program running in the background and I have to force it to close the program. I have attached and pasted the required logs. Thanks!!!



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Tim at 23:15:55 on 2012-04-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6051.3805 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\lxdqcoms.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\ThpSrv.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\windows\system32\wuauclt.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\REGSVR32.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={D42C3A4A-1D54-4276-B873-2FCEA486A7E7}&mid=47c379b2af4447d0a69d0d47e7d1ea65-b9377e4dc04199518ea0b6cec4ba9d53bcebe4e2&lang=en&ds=ft011&pr=sa&d=2012-03-28 21:25:41&v=10.2.0.3&sap=hp
uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
uInternet Settings,ProxyOverride = <local>;*.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\IPS\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex
mRun: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /AutoStart
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxp://cabinetliquidators.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{7CEE4588-8775-4CF5-BE6A-B58DD40CD0B6} : DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{7CEE4588-8775-4CF5-BE6A-B58DD40CD0B6}\46C696E6B6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7CEE4588-8775-4CF5-BE6A-B58DD40CD0B6}\C696E6B6379737 : DhcpNameServer = 192.168.1.250 205.152.150.23 205.152.144.23
TCP: Interfaces\{7CEE4588-8775-4CF5-BE6A-B58DD40CD0B6}\E4356444028415 : DhcpNameServer = 192.168.1.250
TCP: Interfaces\{7CEE4588-8775-4CF5-BE6A-B58DD40CD0B6}\E43564440313 : DhcpNameServer = 192.168.1.250
TCP: Interfaces\{D63EC439-344B-40F6-87FF-2FA19E21F1C2} : DhcpNameServer = 100.100.0.102
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\coIEPlg.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [(Default)]
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1305000.091\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1305000.091\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1305000.091\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1305000.091\SYMEFA64.SYS [?]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120207.003\BHDrvx64.sys [2012-2-9 1157240]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\system32\drivers\NISx64\1305000.091\ccSetx64.sys --> C:\windows\system32\drivers\NISx64\1305000.091\ccSetx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120209.002\IDSviA64.sys [2012-2-10 488568]
R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1305000.091\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1305000.091\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1305000.091\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1305000.091\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 lxdq_device;lxdq_device;C:\windows\system32\lxdqcoms.exe -service --> C:\windows\system32\lxdqcoms.exe -service [?]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\ccsvchst.exe [2012-2-1 138248]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2011-5-24 294848]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-11-10 2656280]
R3 CeKbFilter;CeKbFilter;C:\windows\system32\DRIVERS\CeKbFilter.sys --> C:\windows\system32\DRIVERS\CeKbFilter.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-2-3 138360]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 iwdbus;IWD Bus Enumerator;C:\windows\system32\DRIVERS\iwdbus.sys --> C:\windows\system32\DRIVERS\iwdbus.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETwNs64.sys --> C:\windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\system32\DRIVERS\nusb3hub.sys --> C:\windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\system32\DRIVERS\nusb3xhc.sys --> C:\windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-11-10 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-10 138152]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2011-7-1 828856]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\windows\system32\DRIVERS\WSDPrint.sys --> C:\windows\system32\DRIVERS\WSDPrint.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-10 136176]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-27 652360]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-1-12 1038088]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-10 136176]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\system32\drivers\intelaud.sys --> C:\windows\system32\drivers\intelaud.sys [?]
S3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-6-1 340240]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-13 09:54:14 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1ADBEEA0-4C30-46BD-8363-843856F6F015}\offreg.dll
2012-04-13 09:53:25 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1ADBEEA0-4C30-46BD-8363-843856F6F015}\mpengine.dll
2012-04-01 18:44:03 52568 ----a-r- C:\windows\System32\AdobePDF.dll
2012-04-01 18:44:03 24416 ----a-r- C:\windows\System32\AdobePDFUI.dll
2012-04-01 02:49:45 -------- d-----w- C:\Users\Tim\AppData\Local\Help
2012-04-01 02:49:14 9216 ----a-w- C:\windows\SysWow64\ftlx0411.dll
2012-04-01 02:49:14 9216 ----a-w- C:\windows\System32\ftlx0411.dll
2012-04-01 02:49:14 296960 ----a-w- C:\windows\winhlp32.exe
2012-04-01 02:49:14 195072 ----a-w- C:\windows\SysWow64\ftsrch.dll
2012-04-01 02:49:14 195072 ----a-w- C:\windows\System32\ftsrch.dll
2012-04-01 02:49:14 10240 ----a-w- C:\windows\SysWow64\ftlx041e.dll
2012-04-01 02:49:14 10240 ----a-w- C:\windows\System32\ftlx041e.dll
2012-03-29 01:28:36 -------- d-----w- C:\ProgramData\IObit
2012-03-29 01:28:27 -------- d-----w- C:\Users\Tim\AppData\Roaming\IObit
2012-03-29 01:28:22 -------- d-----w- C:\Program Files (x86)\IObit
2012-03-29 01:25:29 -------- d--h--w- C:\ProgramData\Common Files
2012-03-29 00:26:09 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-03-27 20:40:22 -------- d-----w- C:\Users\Tim\AppData\Roaming\Malwarebytes
2012-03-27 20:40:09 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-27 20:40:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-22 02:49:59 -------- d-----w- C:\Program Files\iTunes
2012-03-22 02:49:59 -------- d-----w- C:\Program Files\iPod
2012-03-22 02:49:59 -------- d-----w- C:\Program Files (x86)\iTunes
2012-03-21 08:21:27 -------- d-----w- C:\ComboFix
.
==================== Find3M ====================
.
2012-02-23 14:18:36 279656 ------w- C:\windows\System32\MpSigStub.exe
2012-02-13 04:54:55 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-01 04:04:24 175736 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 23:24:06.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 14 April 2012 - 01:02 PM

Hi,

Please run the following:


Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


NEXT


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 14 April 2012 - 08:09 PM

Unhide.exe worked but when I went to system recovery and chose the repair your computer it locked up on screen that said loading files. Stayed there for an hour and done nothing. Never made it to recovery options menu.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 14 April 2012 - 08:10 PM

OK

Then please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 14 April 2012 - 09:36 PM

ComboFix 12-04-14.03 - Tim 04/14/2012 21:34:56.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6051.4312 [GMT -4:00]
Running from: c:\users\Tim\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~OqBOsYSxNoG2Br
c:\programdata\~OqBOsYSxNoG2Brr
c:\programdata\OqBOsYSxNoG2Br
c:\programdata\Roaming
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-03-15 to 2012-04-15 )))))))))))))))))))))))))))))))
.
.
2012-04-15 02:05 . 2012-04-15 02:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-14 14:08 . 2012-04-14 14:08 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-14 13:56 . 2012-04-14 14:09 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-14 13:56 . 2012-04-14 13:56 -------- d-----w- c:\windows\system32\Macromed
2012-04-13 09:53 . 2012-03-20 07:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1ADBEEA0-4C30-46BD-8363-843856F6F015}\mpengine.dll
2012-04-01 18:44 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-04-01 18:44 . 2009-08-20 03:50 52568 ----a-r- c:\windows\system32\AdobePDF.dll
2012-04-01 02:49 . 2012-04-01 02:50 -------- d-----w- c:\users\Tim\AppData\Local\Help
2012-04-01 02:49 . 2009-08-04 17:56 296960 ----a-w- c:\windows\winhlp32.exe
2012-04-01 02:49 . 2009-08-04 17:55 195072 ----a-w- c:\windows\SysWow64\ftsrch.dll
2012-04-01 02:49 . 2009-08-04 17:55 195072 ----a-w- c:\windows\system32\ftsrch.dll
2012-04-01 02:49 . 2009-08-04 17:55 9216 ----a-w- c:\windows\SysWow64\ftlx0411.dll
2012-04-01 02:49 . 2009-08-04 17:55 9216 ----a-w- c:\windows\system32\ftlx0411.dll
2012-04-01 02:49 . 2009-08-04 17:55 10240 ----a-w- c:\windows\SysWow64\ftlx041e.dll
2012-04-01 02:49 . 2009-08-04 17:55 10240 ----a-w- c:\windows\system32\ftlx041e.dll
2012-03-29 01:28 . 2012-03-29 01:28 -------- d-----w- c:\programdata\IObit
2012-03-29 01:28 . 2012-03-29 01:40 -------- d-----w- c:\users\Tim\AppData\Roaming\IObit
2012-03-29 01:28 . 2012-03-29 01:28 -------- d-----w- c:\program files (x86)\IObit
2012-03-29 01:25 . 2012-03-29 01:25 -------- d-----w- c:\programdata\Common Files
2012-03-29 00:26 . 2012-03-29 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-27 20:40 . 2012-03-27 20:40 -------- d-----w- c:\users\Tim\AppData\Roaming\Malwarebytes
2012-03-27 20:40 . 2012-03-27 20:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-27 20:40 . 2012-03-27 20:40 -------- d-----w- c:\programdata\Malwarebytes
2012-03-22 02:49 . 2012-03-22 02:50 -------- d-----w- c:\program files\iTunes
2012-03-22 02:49 . 2012-03-22 02:50 -------- d-----w- c:\program files (x86)\iTunes
2012-03-22 02:49 . 2012-03-22 02:49 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 14:09 . 2011-07-27 07:11 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 14:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-01 04:04 . 2011-11-11 00:15 175736 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SVPWUTIL"="c:\program files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe" [2010-11-09 532480]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2011-03-10 423936]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-31 460872]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2011-2-25 15776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-11 136176]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-31 652360]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-01-13 1038088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-11 136176]
R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-06-01 340240]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1305000.091\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1305000.091\SYMEFA64.SYS [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120207.003\BHDrvx64.sys [2011-12-24 1157240]
S1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1305000.091\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120209.002\IDSvia64.sys [2011-12-15 488568]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1305000.091\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1305000.091\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe [2011-11-30 138248]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2011-05-24 294848]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-04 138360]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2011-07-01 828856]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 14:09]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-11 00:15]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-07-02 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-07-02 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-07-02 416024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-26 11775592]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"IntelPAN"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-06-01 1935120]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://msn.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.250
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxp://cabinetliquidators.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-TSleepSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
Wow6432Node-HKU-Default-Run-Advanced SystemCare 5 - c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TOSHIBA Face Recognition - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\19.5.0.145\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-14 22:30:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-15 02:30
.
Pre-Run: 566,589,513,728 bytes free
Post-Run: 566,751,399,936 bytes free
.
- - End Of File - - 7BAB8A4404B55D95D6116D4803033926

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 15 April 2012 - 11:04 AM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 April 2012 - 08:36 AM

Computer is still running the same. ESET scan founds no threats so there was no log. Here is the MBAM log.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.16.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tim :: TIM-PC [administrator]

Protection: Disabled

4/16/2012 7:58:47 AM
mbam-log-2012-04-16 (07-58-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202690
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 16 April 2012 - 08:40 AM

Computer is still running the same


please describe in as much detail as possible what you mean by this

NEXT

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • If the TDLFS File system is found then ensure delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 April 2012 - 06:49 PM

The computer still redirects with all search engines, internet is still running extremely slow, and there is still a message on shut down that says there is a program in the background running and I have to force a shutdown.


I extracted TDSSKiller to the desktop but it will not run. It ask if I want to allow program to make changes to computer and I say yes and then it does nothing.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 16 April 2012 - 07:05 PM

Hi

Please run the following:


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 April 2012 - 08:47 PM

Still doing the same thing in the system recovery. When I select repair your computer it goes to a screen that says windows is loading files and goes no farther. It seems to freeze up on this screen.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 16 April 2012 - 08:55 PM

ok, I was hoping running ComboFix may have assisted with that issue, but that's not the case.

Do you have access to an installation disk in order to access the recovery environment from a disk?

Win 7 is able to make a disk to access the recovery environment, given the issue you are having accessing it normally, I'm not certain this method will work, but it's worth a try if you don't have access to an installation disk

http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

http://www.sevenforums.com/tutorials/668-system-recovery-options.html

If that method (create a disk) will not work on your computer because of the infection, do you have access to another win7 machine to create the disk?

In the meantime

try running TDSSKiller renamed in safe mode > rename it to svchost.exe


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 April 2012 - 10:03 AM

After renaming TDSSKiller in safe mode it still would not run. I have a recovery disk now. Should I go ahead and run the recovery as stated before from the disk?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:58 AM

Posted 17 April 2012 - 11:14 AM

yes, please go ahead and try to enter the recovery environment from the disk

follow the instructions from my previous post

http://www.bleepingcomputer.com/forums/topic450053.html/page__view__findpost__p__2667739

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 April 2012 - 02:13 PM

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 17-04-2012 15:08:01
Running from F:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [167704 2011-07-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [392472 2011-07-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [416024 2011-07-02] (Intel Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11775592 2011-01-26] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 /MAXX3 [2188904 2011-01-18] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1544624 2011-05-24] (TOSHIBA Corporation)
HKLM\...\Run: [IntelPAN] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel PAN Tray [1935120 2011-06-01] (Intel® Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-09] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-04-23] (TOSHIBA Corporation)
HKLM\...\Run: [TOSHIBA Face Recognition] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2011-06-28] (TOSHIBA Corporation)
HKLM-x32\...\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [532480 2010-11-09] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2011-03-10] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-31] (Malwarebytes Corporation)
HKU\Tim\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-11-10] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.250

==================== Services (Whitelisted) ======

3 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [284016 2008-08-15] (Adobe Systems Incorporated)
3 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253088 2012-04-14] (Adobe Systems Incorporated)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
3 FLEXnet Licensing Service 64; "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe" [1038088 2012-01-12] (Acresso Software Inc.)
2 lxdq_device; C:\windows\system32\lxdqcoms.exe -service [1039872 2007-11-28] ( )
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-31] (Malwarebytes Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-06-01] ()
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\19.5.0.145\diMaster.dll" /prefetch:1 [309688 2012-01-24] (Symantec Corporation)
2 Thpsrv; C:\windows\system32\ThpSrv.exe [558592 2011-04-20] (TOSHIBA Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2011-02-01] (Intel Corporation)

========================== Drivers (Whitelisted) =============

2 adfs; C:\Windows\System32\Drivers\adfs.sys [88632 2008-06-27] (Adobe Systems, Inc.)
2 adfs; C:\Windows\SysWow64\Drivers\adfs.sys [74720 2008-08-14] (Adobe Systems, Inc.)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\BASHDefs\20120207.003\BHDrvx64.sys [1157240 2011-12-23] (Symantec Corporation)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
1 ccSet_NIS; C:\Windows\System32\drivers\NISx64\1305000.091\ccSetx64.sys [167048 2011-11-04] (Symantec Corporation)
3 CeKbFilter; C:\Windows\System32\Drivers\CeKbFilter.sys [20592 2011-11-10] (Compal Electronics, INC.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-02-03] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-02-03] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\IPSDefs\20120209.002\IDSvia64.sys [488568 2011-12-15] (Symantec Corporation)
3 intaud_WaveExtensible; C:\Windows\System32\drivers\intelaud.sys [34200 2011-06-21] (Intel Corporation)
3 iwdbus; C:\Windows\System32\Drivers\iwdbus.sys [25496 2011-06-21] (Intel Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120210.003\ENG64.SYS [117880 2012-02-10] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.0.0.128\Definitions\VirusDefs\20120210.003\EX64.SYS [2048632 2012-02-10] (Symantec Corporation)
3 NETwNs64; C:\Windows\System32\Drivers\NETwNs64.sys [8593920 2011-05-01] (Intel Corporation)
3 pfc; C:\Windows\SysWow64\Drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1305000.091\SRTSP64.SYS [738936 2011-11-23] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\drivers\NISx64\1305000.091\SRTSPX64.SYS [37496 2011-11-23] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1305000.091\SYMDS64.SYS [451192 2011-05-16] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1305000.091\SYMEFA64.SYS [1092728 2011-11-23] (Symantec Corporation)
3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-01-31] (Symantec Corporation)
1 SymIRON; C:\Windows\System32\drivers\NISx64\1305000.091\Ironx64.SYS [190072 2011-11-16] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1305000.091\SYMNETS.SYS [405624 2011-11-16] (Symantec Corporation)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-17 15:07 - 2012-04-17 15:08 - 0000000 ____D C:\FRST
2012-04-17 06:37 - 2012-04-17 06:41 - 0276346 ____A C:\Windows\ntbtlog.txt
2012-04-17 06:11 - 2012-04-17 06:11 - 0000240 ____A C:\Users\Tim\Desktop\defogger_enable.log
2012-04-17 06:10 - 2012-04-17 06:10 - 0050477 ____A C:\Users\Tim\Desktop\Defogger.exe
2012-04-16 09:22 - 2012-04-17 06:40 - 0000000 ____D C:\Users\Tim\Desktop\tdsskiller
2012-04-16 09:20 - 2012-04-16 09:21 - 2052353 ____A C:\Users\Tim\Desktop\tdsskiller.zip
2012-04-16 04:04 - 2012-04-16 04:04 - 0000000 ____D C:\Program Files (x86)\ESET
2012-04-16 04:02 - 2012-04-16 04:02 - 0001912 ____A C:\Users\Tim\Desktop\mbam-log-2012-04-16 (07-58-47).txt
2012-04-16 03:53 - 2012-04-16 03:53 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-14 18:30 - 2012-04-14 18:30 - 0018805 ____A C:\ComboFix.txt
2012-04-14 17:27 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-04-14 17:27 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-04-14 17:27 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-14 17:27 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-14 17:27 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-14 17:27 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-04-14 17:27 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-04-14 17:26 - 2012-04-14 18:31 - 0000000 ____D C:\ComboFix
2012-04-14 17:21 - 2012-04-14 17:21 - 4462354 ____R (Swearware) C:\Users\Tim\Desktop\ComboFix.exe
2012-04-14 14:03 - 2012-04-17 06:16 - 0002740 ____A C:\Users\Tim\Desktop\unhide.txt
2012-04-14 14:02 - 2012-04-14 14:02 - 0399264 ____A (Bleeping Computer, LLC) C:\Users\Tim\Desktop\unhide.exe
2012-04-14 06:08 - 2012-04-14 06:08 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-14 05:56 - 2012-04-17 10:08 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-14 05:56 - 2012-04-14 06:09 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-14 05:56 - 2012-04-14 05:56 - 0000000 ____D C:\Windows\System32\Macromed
2012-04-13 19:50 - 2012-04-13 19:50 - 0037055 ____A C:\Users\Tim\Desktop\ark.txt
2012-04-13 19:30 - 2012-04-13 19:30 - 0294195 ____A C:\Users\Tim\Desktop\gmer.zip
2012-04-13 19:30 - 2012-04-13 19:30 - 0000000 ____D C:\Users\Tim\Desktop\gmer
2012-04-13 19:25 - 2012-04-13 19:25 - 0007245 ____A C:\Users\Tim\Desktop\Attach.txt
2012-04-13 19:24 - 2012-04-13 19:24 - 0021475 ____A C:\Users\Tim\Desktop\DDS.txt
2012-04-13 19:15 - 2012-04-13 19:15 - 0607260 ____R (Swearware) C:\Users\Tim\Desktop\dds.scr
2012-04-13 19:04 - 2012-04-13 19:04 - 2821820 ____A C:\Users\Tim\Documents\AutoRuns.arn
2012-04-13 18:45 - 2012-04-13 18:45 - 0534483 ____A C:\Users\Tim\Downloads\Autoruns.zip
2012-04-13 18:36 - 2012-04-13 18:36 - 0000468 ____A C:\Users\Tim\Downloads\defogger_disable.log
2012-04-13 18:35 - 2012-04-13 18:35 - 0050477 ____A C:\Users\Tim\Downloads\Defogger.exe
2012-04-06 08:29 - 2012-04-06 17:37 - 0000000 ____D C:\Users\Tim\Documents\New Home PDF's
2012-04-02 21:05 - 2012-04-02 21:05 - 0007598 ____A C:\Users\Tim\AppData\Local\Resmon.ResmonCfg
2012-04-01 10:44 - 2009-08-19 19:50 - 0052568 ___RA (Adobe Systems Inc) C:\Windows\System32\AdobePDF.dll
2012-04-01 10:44 - 2009-08-19 19:50 - 0024416 ___RA (Adobe Systems Inc.) C:\Windows\System32\AdobePDFUI.dll
2012-03-31 18:49 - 2012-03-31 18:50 - 0000000 ____D C:\Users\Tim\AppData\Local\Help
2012-03-31 18:49 - 2012-03-31 18:49 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Help
2012-03-31 18:49 - 2009-08-04 09:56 - 0296960 ____A (Microsoft Corporation) C:\Windows\winhlp32.exe
2012-03-31 18:49 - 2009-08-04 09:55 - 0195072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ftsrch.dll
2012-03-31 18:49 - 2009-08-04 09:55 - 0195072 ____A (Microsoft Corporation) C:\Windows\System32\ftsrch.dll
2012-03-31 18:49 - 2009-08-04 09:55 - 0010240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ftlx041e.dll
2012-03-31 18:49 - 2009-08-04 09:55 - 0010240 ____A (Microsoft Corporation) C:\Windows\System32\ftlx041e.dll
2012-03-31 18:49 - 2009-08-04 09:55 - 0009216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ftlx0411.dll
2012-03-31 18:49 - 2009-08-04 09:55 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\ftlx0411.dll
2012-03-31 18:48 - 2012-03-31 18:48 - 0000000 ____D C:\Users\All Users\Windows Genuine Advantage
2012-03-31 18:48 - 2012-03-31 18:48 - 0000000 ____D C:\ProgramData\Windows Genuine Advantage
2012-03-28 17:28 - 2012-03-28 17:40 - 0000000 ____D C:\Users\Tim\AppData\Roaming\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\Users\All Users\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\ProgramData\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\Program Files (x86)\IObit
2012-03-28 16:26 - 2012-04-16 03:57 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-03-27 12:40 - 2012-04-16 03:57 - 0000925 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-27 12:38 - 2012-03-27 12:39 - 9604712 ____A (Malwarebytes Corporation ) C:\Users\Tim\Downloads\mbam-setup.exe
2012-03-21 18:50 - 2012-03-21 18:50 - 0001794 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-03-21 18:49 - 2012-03-21 18:50 - 0000000 ____D C:\Program Files\iTunes
2012-03-21 18:49 - 2012-03-21 18:50 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-03-21 18:49 - 2012-03-21 18:49 - 0000000 ____D C:\Program Files\iPod
2012-03-21 06:32 - 2012-04-13 18:45 - 0638784 ____A (Sysinternals - www.sysinternals.com) C:\Users\Tim\Desktop\autoruns.exe
2012-03-21 06:32 - 2012-04-13 18:45 - 0557888 ____A (Sysinternals - www.sysinternals.com) C:\Users\Tim\Desktop\autorunsc.exe
2012-03-21 00:22 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-03-21 00:21 - 2012-04-14 18:15 - 0000000 ____D C:\Windows\ERDNT
2012-03-21 00:20 - 2012-04-14 18:31 - 0000000 ____D C:\Qoobox
2012-03-21 00:12 - 2012-03-21 00:12 - 2044822 ____A C:\Users\Tim\Downloads\tdsskiller.zip
2012-03-20 19:12 - 2012-03-20 19:12 - 4483467 ____A C:\Users\Tim\Downloads\Moments Remembered.mp3

============ 3 Months Modified Files and Folders =============

2012-04-17 15:08 - 2012-04-17 15:07 - 0000000 ____D C:\FRST
2012-04-17 11:01 - 2011-11-10 15:50 - 1306759 ____A C:\Windows\WindowsUpdate.log
2012-04-17 10:47 - 2011-11-10 16:15 - 0000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-04-17 10:16 - 2009-07-13 20:45 - 0025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-17 10:16 - 2009-07-13 20:45 - 0025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-17 10:13 - 2009-07-13 21:13 - 0726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-17 10:09 - 2011-11-10 16:15 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-04-17 10:09 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-17 10:09 - 2009-07-13 20:51 - 0038530 ____A C:\Windows\setupact.log
2012-04-17 10:08 - 2012-04-14 05:56 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-17 10:08 - 2011-11-10 15:43 - 463486976 __ASH C:\hiberfil.sys
2012-04-17 06:41 - 2012-04-17 06:37 - 0276346 ____A C:\Windows\ntbtlog.txt
2012-04-17 06:40 - 2012-04-16 09:22 - 0000000 ____D C:\Users\Tim\Desktop\tdsskiller
2012-04-17 06:16 - 2012-04-14 14:03 - 0002740 ____A C:\Users\Tim\Desktop\unhide.txt
2012-04-17 06:11 - 2012-04-17 06:11 - 0000240 ____A C:\Users\Tim\Desktop\defogger_enable.log
2012-04-17 06:11 - 2012-01-11 13:32 - 0000000 ____D C:\users\Tim
2012-04-17 06:10 - 2012-04-17 06:10 - 0050477 ____A C:\Users\Tim\Desktop\Defogger.exe
2012-04-16 09:21 - 2012-04-16 09:20 - 2052353 ____A C:\Users\Tim\Desktop\tdsskiller.zip
2012-04-16 04:05 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-04-16 04:04 - 2012-04-16 04:04 - 0000000 ____D C:\Program Files (x86)\ESET
2012-04-16 04:02 - 2012-04-16 04:02 - 0001912 ____A C:\Users\Tim\Desktop\mbam-log-2012-04-16 (07-58-47).txt
2012-04-16 03:57 - 2012-03-28 16:26 - 0000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2012-04-16 03:57 - 2012-03-27 12:40 - 0000925 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-04-16 03:53 - 2012-04-16 03:53 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-14 18:31 - 2012-04-14 17:26 - 0000000 ____D C:\ComboFix
2012-04-14 18:31 - 2012-03-21 00:20 - 0000000 ____D C:\Qoobox
2012-04-14 18:31 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-04-14 18:30 - 2012-04-14 18:30 - 0018805 ____A C:\ComboFix.txt
2012-04-14 18:15 - 2012-03-21 00:21 - 0000000 ____D C:\Windows\ERDNT
2012-04-14 18:10 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-04-14 18:09 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-04-14 18:08 - 2010-11-20 19:47 - 0015484 ____A C:\Windows\PFRO.log
2012-04-14 17:21 - 2012-04-14 17:21 - 4462354 ____R (Swearware) C:\Users\Tim\Desktop\ComboFix.exe
2012-04-14 14:02 - 2012-04-14 14:02 - 0399264 ____A (Bleeping Computer, LLC) C:\Users\Tim\Desktop\unhide.exe
2012-04-14 06:09 - 2012-04-14 05:56 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-14 06:09 - 2011-07-26 23:11 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-14 06:08 - 2012-04-14 06:08 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-14 05:56 - 2012-04-14 05:56 - 0000000 ____D C:\Windows\System32\Macromed
2012-04-13 19:50 - 2012-04-13 19:50 - 0037055 ____A C:\Users\Tim\Desktop\ark.txt
2012-04-13 19:30 - 2012-04-13 19:30 - 0294195 ____A C:\Users\Tim\Desktop\gmer.zip
2012-04-13 19:30 - 2012-04-13 19:30 - 0000000 ____D C:\Users\Tim\Desktop\gmer
2012-04-13 19:25 - 2012-04-13 19:25 - 0007245 ____A C:\Users\Tim\Desktop\Attach.txt
2012-04-13 19:24 - 2012-04-13 19:24 - 0021475 ____A C:\Users\Tim\Desktop\DDS.txt
2012-04-13 19:15 - 2012-04-13 19:15 - 0607260 ____R (Swearware) C:\Users\Tim\Desktop\dds.scr
2012-04-13 19:04 - 2012-04-13 19:04 - 2821820 ____A C:\Users\Tim\Documents\AutoRuns.arn
2012-04-13 18:45 - 2012-04-13 18:45 - 0534483 ____A C:\Users\Tim\Downloads\Autoruns.zip
2012-04-13 18:45 - 2012-03-21 06:32 - 0638784 ____A (Sysinternals - www.sysinternals.com) C:\Users\Tim\Desktop\autoruns.exe
2012-04-13 18:45 - 2012-03-21 06:32 - 0557888 ____A (Sysinternals - www.sysinternals.com) C:\Users\Tim\Desktop\autorunsc.exe
2012-04-13 18:36 - 2012-04-13 18:36 - 0000468 ____A C:\Users\Tim\Downloads\defogger_disable.log
2012-04-13 18:35 - 2012-04-13 18:35 - 0050477 ____A C:\Users\Tim\Downloads\Defogger.exe
2012-04-06 17:37 - 2012-04-06 08:29 - 0000000 ____D C:\Users\Tim\Documents\New Home PDF's
2012-04-02 21:19 - 2012-01-11 13:35 - 0000000 ____D C:\Users\Tim\AppData\Local\Deployment
2012-04-02 21:05 - 2012-04-02 21:05 - 0007598 ____A C:\Users\Tim\AppData\Local\Resmon.ResmonCfg
2012-04-01 23:08 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\rescache
2012-04-01 10:43 - 2012-01-12 19:16 - 0002032 ____A C:\Users\Public\Desktop\Adobe Acrobat 9 Pro.lnk
2012-03-31 18:50 - 2012-03-31 18:49 - 0000000 ____D C:\Users\Tim\AppData\Local\Help
2012-03-31 18:49 - 2012-03-31 18:49 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Help
2012-03-31 18:48 - 2012-03-31 18:48 - 0000000 ____D C:\Users\All Users\Windows Genuine Advantage
2012-03-31 18:48 - 2012-03-31 18:48 - 0000000 ____D C:\ProgramData\Windows Genuine Advantage
2012-03-28 17:41 - 2012-01-11 13:32 - 0000000 ____D C:\Users\Tim\AppData\LocalLow
2012-03-28 17:40 - 2012-03-28 17:28 - 0000000 ____D C:\Users\Tim\AppData\Roaming\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\Users\All Users\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\ProgramData\IObit
2012-03-28 17:28 - 2012-03-28 17:28 - 0000000 ____D C:\Program Files (x86)\IObit
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\ProgramData\Malwarebytes
2012-03-27 12:40 - 2012-03-27 12:40 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-27 12:39 - 2012-03-27 12:38 - 9604712 ____A (Malwarebytes Corporation ) C:\Users\Tim\Downloads\mbam-setup.exe
2012-03-23 08:28 - 2012-01-11 17:11 - 0000000 ____D C:\Users\Tim\AppData\Local\Google
2012-03-21 18:50 - 2012-03-21 18:50 - 0001794 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-03-21 18:50 - 2012-03-21 18:49 - 0000000 ____D C:\Program Files\iTunes
2012-03-21 18:50 - 2012-03-21 18:49 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-03-21 18:49 - 2012-03-21 18:49 - 0000000 ____D C:\Program Files\iPod
2012-03-21 01:37 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-03-21 00:30 - 2012-01-16 18:02 - 0000000 ____D C:\Users\Tim\Documents\Website
2012-03-21 00:30 - 2011-11-10 16:14 - 0000000 ____D C:\Windows\System32\Drivers\NISx64
2012-03-21 00:30 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-03-21 00:29 - 2012-03-01 19:36 - 0000000 ____D C:\Program Files (x86)\Blubster
2012-03-21 00:29 - 2012-01-12 20:21 - 0000000 ____D C:\Users\All Users\FLEXnet
2012-03-21 00:29 - 2012-01-12 20:21 - 0000000 ____D C:\ProgramData\FLEXnet
2012-03-21 00:29 - 2012-01-11 16:51 - 0000000 ____D C:\Users\All Users\lx_Cats
2012-03-21 00:29 - 2012-01-11 16:51 - 0000000 ____D C:\ProgramData\lx_Cats
2012-03-21 00:29 - 2012-01-11 13:35 - 0000000 ____D C:\Users\Tim\AppData\Local\Apps\2.0
2012-03-21 00:29 - 2011-11-10 16:15 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-03-21 00:29 - 2011-11-10 16:14 - 0000000 ____D C:\Users\All Users\Norton
2012-03-21 00:29 - 2011-11-10 16:14 - 0000000 ____D C:\ProgramData\Norton
2012-03-21 00:29 - 2011-07-26 23:16 - 0000000 ____D C:\Users\All Users\Toshiba
2012-03-21 00:29 - 2011-07-26 23:16 - 0000000 ____D C:\ProgramData\Toshiba
2012-03-21 00:28 - 2012-01-11 17:17 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Adobe
2012-03-21 00:28 - 2012-01-11 13:34 - 0000000 ____D C:\Users\Tim\AppData\Local\VirtualStore
2012-03-21 00:28 - 2012-01-11 13:32 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Macromedia
2012-03-21 00:28 - 2012-01-11 13:32 - 0000000 ____D C:\Users\Tim\AppData\Roaming\Intel
2012-03-21 00:28 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-03-21 00:25 - 2012-01-12 19:01 - 0000000 ____D C:\Users\Tim\AppData\Local\Adobe
2012-03-21 00:25 - 2012-01-11 19:18 - 0000000 ____D C:\Users\Tim\AppData\Local\Microsoft Games
2012-03-21 00:25 - 2011-11-10 16:22 - 0000000 ___DC C:\Users\All Users\{373A11D3-0B96-4E16-9184-7D0FBE86932F}
2012-03-21 00:25 - 2011-11-10 16:22 - 0000000 ___DC C:\ProgramData\{373A11D3-0B96-4E16-9184-7D0FBE86932F}
2012-03-21 00:25 - 2011-11-10 16:16 - 0000000 ____D C:\Users\All Users\Google
2012-03-21 00:25 - 2011-11-10 16:16 - 0000000 ____D C:\ProgramData\Google
2012-03-21 00:25 - 2011-11-10 16:08 - 0000000 ____D C:\Users\All Users\Intel
2012-03-21 00:25 - 2011-11-10 16:08 - 0000000 ____D C:\ProgramData\Intel
2012-03-21 00:25 - 2010-11-20 23:16 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-03-21 00:24 - 2012-01-12 21:06 - 0000000 ____D C:\Users\All Users\Apple Computer
2012-03-21 00:24 - 2012-01-12 21:06 - 0000000 ____D C:\ProgramData\Apple Computer
2012-03-21 00:24 - 2012-01-12 21:05 - 0000000 ____D C:\Users\All Users\Apple
2012-03-21 00:24 - 2012-01-12 21:05 - 0000000 ____D C:\ProgramData\Apple
2012-03-21 00:24 - 2011-11-10 16:22 - 0000000 ____D C:\Users\All Users\Best Buy pc app
2012-03-21 00:24 - 2011-11-10 16:22 - 0000000 ____D C:\ProgramData\Best Buy pc app
2012-03-21 00:24 - 2011-11-10 16:04 - 0000000 ____D C:\Users\All Users\Downloaded Installations
2012-03-21 00:24 - 2011-11-10 16:04 - 0000000 ____D C:\ProgramData\Downloaded Installations
2012-03-21 00:12 - 2012-03-21 00:12 - 2044822 ____A C:\Users\Tim\Downloads\tdsskiller.zip
2012-03-20 19:12 - 2012-03-20 19:12 - 4483467 ____A C:\Users\Tim\Downloads\Moments Remembered.mp3
2012-03-19 04:31 - 2012-03-01 19:37 - 0002453 ____A C:\Users\Public\Documents\Global.sw2
2012-03-13 12:07 - 2011-11-10 16:15 - 0000000 ____D C:\Program Files\Symantec
2012-03-01 19:37 - 2012-03-01 19:37 - 0000000 ____D C:\Users\Public\Documents\Softwrap
2012-02-23 06:18 - 2010-11-20 19:27 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-20 16:07 - 2012-02-20 16:05 - 0000414 ____A C:\Windows\SysWOW64\AppLog.log
2012-02-20 06:25 - 2011-07-26 23:11 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-02-20 06:24 - 2012-02-20 06:24 - 0000000 ____D C:\Windows\SysWOW64\Adobe
2012-02-18 12:54 - 2012-02-18 12:54 - 1480192 ____A C:\Users\Tim\Documents\Choosing Haul Systems.doc
2012-02-16 10:43 - 2012-02-16 10:43 - 0000000 ____D C:\Windows\SysWOW64\20-20 Technologies
2012-02-15 19:20 - 2012-01-13 15:48 - 0000000 ____D C:\Users\Tim\AppData\Roaming\FileZilla
2012-02-15 09:35 - 2012-01-11 18:39 - 0000000 ____D C:\Users\Tim\AppData\Local\ElevatedDiagnostics
2012-01-31 23:57 - 2012-01-30 02:53 - 2141223 ____A C:\Users\Tim\Documents\Home Plan.PRO
2012-01-31 20:38 - 2012-01-29 19:57 - 0000000 ____D C:\Program Files (x86)\Punch! Pro - Platinum
2012-01-31 20:04 - 2011-11-10 16:15 - 0175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2012-01-31 20:04 - 2011-11-10 16:15 - 0007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2012-01-31 20:04 - 2011-11-10 16:15 - 0000855 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.INF
2012-01-29 20:01 - 2012-01-29 20:01 - 0001956 ____A C:\Users\Tim\Desktop\Punch! Pro-Platinum.lnk
2012-01-24 16:26 - 2012-01-24 16:26 - 0000000 ____D C:\Users\Tim\AppData\Local\CrashDumps

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-07-26 22:54] - [2011-03-01 00:07] - 0027648 ____A (Microsoft Corporation) 6F68F63794097E54F36474ED4384B759

C:\Windows\SysWOW64\svchost.exe
[2011-07-26 22:54] - [2011-03-01 00:05] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-07-26 22:50] - [2011-02-24 22:25] - 0296320 ____A (Microsoft Corporation) DF8126BD41180351A093A3AD2FC8903B


========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 6050.69 MB
Available physical RAM: 5390.35 MB
Total Pagefile: 6048.89 MB
Available Pagefile: 5368.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI106230W0C) (Fixed) (Total:579.61 GB) (Free:527.29 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Repair disc 64-bit) (CDROM) (Total:0.14 GB) (Free:0 GB) UDF
4 Drive f: () (Removable) (Total:14.9 GB) (Free:13.52 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 579 GB 1501 MB
Partition 3 Primary 15 GB 581 GB
Partition 4 Primary 336 KB 596 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106230W0C NTFS Partition 579 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 14 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-10 11:02

======================= End Of Log ==========================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users