Virus keeps redirecting me an aopening popups...please Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Bluefish44

Thread Starter
Joined
Dec 18, 2010
Messages
5
I have pasted my hijackthis log below...does anyone have any ideas? Also, my computer has become very slow.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:37 PM, on 12/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\avgmfapx.exe
C:\Program Files\AVG\AVG10\avgmfapx.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG10\PCTuneup\MicroScanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7967 bytes
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
 

Bluefish44

Thread Starter
Joined
Dec 18, 2010
Messages
5
Thanks Catbyte for looking into this. Below are the 3 logs that you requested:

DDS (Ver_10-12-12.02) - NTFSx86
Run by owner at 12:45:27.46 on Mon 12/20/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.390 [GMT -7:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Documents and Settings\owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli p64rdi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\z75ygedb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8118
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\z75ygedb.default\extensions\[email protected]\components\piclensstub.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: PicLens: [email protected] - %profile%\extensions\[email protected]
FF - Ext: TrackMeNot: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Craigslist Image Preview Ext: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {17127B0F-1113-4DD1-8701-2B6A59A4226C} - c:\documents and settings\owner\local settings\application data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-3 64160]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\atmfbus.sys --> c:\windows\system32\drivers\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\atmfcvsp.sys --> c:\windows\system32\drivers\ATMFCVsp.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\atmfmdm.sys --> c:\windows\system32\drivers\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\atmfnet.sys --> c:\windows\system32\drivers\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\atmfnvsp.sys --> c:\windows\system32\drivers\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\atmfvsp.sys --> c:\windows\system32\drivers\ATMFVsp.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2006-12-18 22136]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-3-8 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

=============== Created Last 30 ================

2010-12-21 02:47:44 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-21 02:47:44 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-20 00:41:27 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-19 02:15:49 -------- d-----w- c:\docume~1\owner\applic~1\411250F41135EE75A792B09056999482
2010-12-18 12:31:36 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-18 12:30:50 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 12:45:44.93 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/11/2006 4:06:31 PM
System Uptime: 12/20/2010 12:11:20 PM (0 hours ago)

Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | U1 | 1596/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 47.422 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play Monitor
Device ID: DISPLAY\LPL0000\4&6BEE075&0&00000400&00&02
Manufacturer: (Standard monitor types)
Name: Plug and Play Monitor
PNP Device ID: DISPLAY\LPL0000\4&6BEE075&0&00000400&00&02
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D159DD2080DA0
Manufacturer: Microsoft
Name: 1394 Net Adapter #2
PNP Device ID: V1394\NIC1394\D159DD2080DA0
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1092&SUBSYS_FF101179&REV_02\4&6B16D5B&0&40F0
Service: E100B

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CSVirtA

==== System Restore Points ===================

RP856: 9/19/2010 9:24:20 PM - System Checkpoint
RP857: 9/29/2010 6:07:16 PM - Avg Update
RP858: 9/29/2010 6:08:04 PM - Avg Update
RP859: 9/30/2010 7:28:54 PM - System Checkpoint
RP860: 10/1/2010 3:01:27 AM - Software Distribution Service 3.0
RP861: 10/2/2010 3:10:09 AM - System Checkpoint
RP862: 10/3/2010 8:09:06 PM - System Checkpoint
RP863: 10/4/2010 8:13:48 PM - System Checkpoint
RP864: 10/5/2010 9:43:54 PM - System Checkpoint
RP865: 10/6/2010 5:43:50 PM - Avg Update
RP866: 10/8/2010 5:24:26 AM - Software Distribution Service 3.0
RP867: 10/10/2010 6:22:52 PM - System Checkpoint
RP868: 10/11/2010 6:23:09 PM - System Checkpoint
RP869: 10/12/2010 7:11:43 PM - System Checkpoint
RP870: 10/14/2010 6:09:37 PM - System Checkpoint
RP871: 10/15/2010 7:52:50 PM - Software Distribution Service 3.0
RP872: 10/16/2010 8:23:46 PM - System Checkpoint
RP873: 10/18/2010 12:33:46 PM - System Checkpoint
RP874: 10/19/2010 11:00:48 AM - Removed WinZip 14.5
RP875: 10/19/2010 11:03:13 AM - Installed WinZip 14.5
RP876: 10/20/2010 8:33:09 PM - System Checkpoint
RP877: 10/21/2010 9:54:06 PM - Software Distribution Service 3.0
RP878: 10/22/2010 11:03:44 PM - System Checkpoint
RP879: 10/24/2010 7:53:19 AM - System Checkpoint
RP880: 10/25/2010 10:40:41 AM - System Checkpoint
RP881: 10/26/2010 11:18:48 AM - System Checkpoint
RP882: 10/26/2010 4:26:43 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP883: 10/26/2010 4:27:15 PM - Installed AVG 2011
RP884: 10/26/2010 4:29:40 PM - Removed AVG Free 9.0
RP885: 10/26/2010 6:58:50 PM - Installed AVG 2011
RP886: 10/27/2010 7:37:12 PM - System Checkpoint
RP887: 10/28/2010 8:40:20 PM - System Checkpoint
RP888: 10/29/2010 6:41:10 PM - System Checkpoint
RP889: 10/30/2010 7:28:31 PM - System Checkpoint
RP890: 10/31/2010 8:43:22 PM - System Checkpoint
RP891: 11/2/2010 12:30:34 PM - System Checkpoint
RP892: 11/3/2010 5:35:02 PM - System Checkpoint
RP893: 11/5/2010 5:55:57 PM - System Checkpoint
RP894: 11/6/2010 7:14:35 PM - System Checkpoint
RP895: 11/7/2010 6:40:41 PM - System Checkpoint
RP896: 11/9/2010 9:26:53 AM - System Checkpoint
RP897: 11/11/2010 6:31:29 PM - System Checkpoint
RP898: 11/12/2010 12:14:14 PM - Software Distribution Service 3.0
RP899: 11/13/2010 6:25:07 PM - System Checkpoint
RP900: 11/15/2010 11:09:00 AM - System Checkpoint
RP901: 11/16/2010 10:39:12 AM - Removed Kaspersky Security Scan
RP902: 11/16/2010 10:58:36 AM - Removed Sonic DLA
RP903: 11/17/2010 9:40:00 PM - System Checkpoint
RP904: 11/20/2010 6:58:01 PM - System Checkpoint
RP905: 11/22/2010 2:37:13 PM - System Checkpoint
RP906: 11/26/2010 4:29:37 PM - Restore Operation
RP907: 11/27/2010 5:39:31 PM - System Checkpoint
RP908: 11/28/2010 7:09:53 PM - System Checkpoint
RP909: 11/30/2010 12:38:10 AM - System Checkpoint
RP910: 11/30/2010 1:01:20 PM - Restore Operation
RP911: 12/4/2010 5:39:41 PM - System Checkpoint
RP912: 12/5/2010 7:35:10 PM - System Checkpoint
RP913: 12/6/2010 7:57:20 PM - System Checkpoint
RP914: 12/7/2010 9:29:55 PM - System Checkpoint
RP915: 12/9/2010 8:42:29 AM - System Checkpoint
RP916: 12/10/2010 8:50:05 AM - System Checkpoint
RP917: 12/14/2010 10:55:46 AM - System Checkpoint
RP918: 12/15/2010 7:09:24 PM - System Checkpoint
RP919: 12/16/2010 10:49:50 PM - System Checkpoint
RP920: 12/17/2010 7:13:59 PM - Restore Operation
RP921: 12/18/2010 8:29:28 AM - Software Distribution Service 3.0
RP922: 12/20/2010 6:26:13 PM - System Checkpoint
RP923: 12/20/2010 7:40:01 PM - Restore Operation
RP924: 12/18/2010 9:18:49 PM - Software Distribution Service 3.0
RP925: 12/18/2010 9:58:20 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Audacity 1.2.6
AVG 2011
Bazooka Scanner
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Cisco SSL VPN Client
Critical Update for Windows Media Player 11 (KB959772)
Desktop Dialer
Drivers Install For Linksys Easylink Advisor
DVD-RAM Driver
ESPNMotion
Free YouTube to iPod Converter version 3.2
Garmin Communicator Plugin
Garmin POI Loader
Garmin Trip and Waypoint Manager v5
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Index.dat Suite
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iolo technologies' System Mechanic 4 Professional
iTunes
J2SE Runtime Environment 5.0 Update 4
Java(TM) 6 Update 3
Linksys EasyLink Advisor 1.6 (0032)
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mIWA
mLogView
mMHouse
Motorola Software Update
Mozilla Firefox (3.0.19)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Office 2003 Trial Assistant
Otto
Pacific Poker
Picasa 3
QuickTime
Realtek High Definition Audio Driver
SD Secure Module
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Encoders
Sonic RecordNow!
SopCast 3.2.4
Speed Up Alarm
Spybot - Search & Destroy
StreamTorrent 1.0
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA TV Tuner 4.0.12.73
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.1
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
Windows Vista Upgrade Advisor
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip 14.5

==== Event Viewer Messages From Past Week ========

12/20/2010 7:50:16 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172283 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.197.32:123) is working properly.
12/20/2010 7:39:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 FileDisk Fips intelppm KR10N ohci1394
12/20/2010 5:23:21 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172279 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.232.182:123) is working properly.
12/20/2010 5:02:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: KR10N
12/20/2010 2:39:15 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/20/2010 12:29:53 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/19/2010 5:41:40 PM, error: Dhcp [1002] - The IP address lease 192.168.1.103 for the Network Card with network address 0018DE48046E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/19/2010 5:39:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/19/2010 5:38:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 FileDisk Fips intelppm
12/19/2010 5:23:44 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172378 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.232.182:123) is working properly.
12/19/2010 5:11:00 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172381 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.232.182:123) is working properly.
12/19/2010 4:20:46 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172396 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.232.182:123) is working properly.
12/19/2010 11:21:01 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
12/18/2010 8:52:56 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avgwd service.
12/18/2010 3:38:27 AM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172387 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.232.182:123) is working properly.
12/17/2010 5:53:45 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/17/2010 1:54:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/17/2010 1:52:34 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/16/2010 8:57:32 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/16/2010 11:52:34 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/14/2010 6:28:44 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0018DE48046E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
12/14/2010 11:36:40 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172396 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.197.32:123) is working properly.
12/14/2010 1:01:29 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
12/14/2010 1:01:29 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
12/13/2010 7:10:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/13/2010 6:40:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
12/13/2010 6:25:45 PM, error: Dhcp [1002] - The IP address lease 192.168.1.105 for the Network Card with network address 0018DE48046E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/13/2010 11:38:10 PM, error: W32Time [34] - The time service has detected that the system time needs to be changed by -172503 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.1.103:123->207.46.197.32:123) is working properly.

==== End Of File ===========================

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-20 12:59:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541010G9SA00 rev.MBZOC60R
Running: uw5fejx2.exe; Driver: C:\DOCUME~1\owner\LOCALS~1\Temp\pgtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF776E87E]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA9B7A6C0]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF776EBFE]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA9B7A770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA9B7A810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA9B7A8B0]

INT 0x01 \??\C:\DOCUME~1\owner\LOCALS~1\Temp\mbr.sys F79F7C42

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 11A 804E4974 4 Bytes CALL 4D5E40EF
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6A50EBF]
? C:\DOCUME~1\owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Cdfs \Cdfs A4C58400
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 

Bluefish44

Thread Starter
Joined
Dec 18, 2010
Messages
5
Follows is the combofix log:

ComboFix 10-12-20.01 - owner 12/20/2010 17:31:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.510 [GMT -7:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\owner\Application Data\411250F41135EE75A792B09056999482
c:\documents and settings\owner\Application Data\411250F41135EE75A792B09056999482\enemies-names.txt
c:\documents and settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}
c:\documents and settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}\chrome.manifest
c:\documents and settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}\chrome\content\_cfg.js
c:\documents and settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}\chrome\content\overlay.xul
c:\documents and settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}\install.rdf
c:\windows\system32\Oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 02:47 . 2010-12-21 02:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-20 18:05 . 2010-12-21 02:40 -------- d-----w- c:\documents and settings\NetworkService\UserData
2010-12-20 00:41 . 2010-12-20 00:41 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-19 05:14 . 2010-12-19 05:16 -------- d-----w- C:\rsit
2010-12-18 12:31 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-18 12:30 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2006-02-15 15:36 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05 . 2006-02-15 14:04 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2006-02-15 14:04 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2006-02-15 14:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2006-02-15 14:02 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-15 14:03 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-15 14:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-15 14:04 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-11 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 4 Professional\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-11-28 19:41 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\DesktopDialer\\DesktopDialer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/3/2009 5:45 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\DRIVERS\ATMFBUS.sys --> c:\windows\system32\DRIVERS\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\DRIVERS\ATMFCVsp.sys --> c:\windows\system32\DRIVERS\ATMFCVsp.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\DRIVERS\ATMFMdm.sys --> c:\windows\system32\DRIVERS\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\DRIVERS\ATMFNET.sys --> c:\windows\system32\DRIVERS\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\DRIVERS\ATMFNVsp.sys --> c:\windows\system32\DRIVERS\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\DRIVERS\ATMFVsp.sys --> c:\windows\system32\DRIVERS\ATMFVsp.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [12/18/2006 9:00 PM 22136]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/8/2009 3:09 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 7:18 PM 23680]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:44]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\z75ygedb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8118
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: PicLens: [email protected] - %profile%\extensions\[email protected]
FF - Ext: TrackMeNot: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Craigslist Image Preview Ext: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 17:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
c:\windows\system32\igfxres.dll
c:\windows\system32\igfxress.dll
c:\windows\system32\igfxsrvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Cisco Systems\SSL VPN Client\agent.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TDispVol.exe
c:\windows\system32\TPSMain.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-12-20 18:17:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-21 01:17

Pre-Run: 51,295,367,168 bytes free
Post-Run: 51,351,162,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - D251E2AACB73BECFABF38EEDCACEAE87
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
DirLook::
c:\windows\system32\%APPDATA%

FixCSet::
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish
 

Bluefish44

Thread Starter
Joined
Dec 18, 2010
Messages
5
Thanks again CatByte. Following are the 3 sets of information that you requested.

ComboFix 10-12-20.01 - owner 12/20/2010 22:04:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.747 [GMT -7:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
.

2010-12-21 02:47 . 2010-12-21 02:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-20 18:05 . 2010-12-21 02:40 -------- d-----w- c:\documents and settings\NetworkService\UserData
2010-12-20 00:41 . 2010-12-20 00:41 -------- d-----w- c:\windows\system32\%APPDATA%
2010-12-19 05:14 . 2010-12-19 05:16 -------- d-----w- C:\rsit
2010-12-18 12:31 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-18 12:30 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2006-02-15 15:36 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-05 05:05 . 2006-02-15 14:04 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2006-02-15 14:04 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2006-02-15 14:02 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59 . 2006-02-15 14:02 369664 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-15 14:03 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-15 14:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-15 14:04 1853312 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\%APPDATA% ----

2010-12-20 00:41 . 2010-12-20 00:41 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
2010-12-20 00:41 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
2010-12-20 00:41 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
2010-12-20 00:41 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
2010-12-20 00:41 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
2010-12-20 00:41 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
2010-12-20 00:41 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-11 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 4 Professional\\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-11-28 19:41 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\DesktopDialer\\DesktopDialer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/3/2009 5:45 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\DRIVERS\ATMFBUS.sys --> c:\windows\system32\DRIVERS\ATMFBUS.sys [?]
S3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\DRIVERS\ATMFCVsp.sys --> c:\windows\system32\DRIVERS\ATMFCVsp.sys [?]
S3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\DRIVERS\ATMFMdm.sys --> c:\windows\system32\DRIVERS\ATMFMdm.sys [?]
S3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\DRIVERS\ATMFNET.sys --> c:\windows\system32\DRIVERS\ATMFNET.sys [?]
S3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\DRIVERS\ATMFNVsp.sys --> c:\windows\system32\DRIVERS\ATMFNVsp.sys [?]
S3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\DRIVERS\ATMFVsp.sys --> c:\windows\system32\DRIVERS\ATMFVsp.sys [?]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [12/18/2006 9:00 PM 22136]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 10:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 10:49 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [3/8/2009 3:09 PM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 7:18 PM 23680]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-12-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:44]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\z75ygedb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8118
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: PicLens: [email protected] - %profile%\extensions\[email protected]
FF - Ext: TrackMeNot: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Craigslist Image Preview Ext: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: vShare: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-20 22:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1216)
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Cisco Systems\SSL VPN Client\agent.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\TDispVol.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2010-12-20 22:43:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-21 05:42
ComboFix2.txt 2010-12-21 01:17

Pre-Run: 51,334,238,208 bytes free
Post-Run: 51,349,934,080 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 8CEA65083E40104723B9CFD380D8B146


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5364

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/20/2010 11:02:50 PM
mbam-log-2010-12-20 (23-02-50).txt

Scan type: Quick scan
Objects scanned: 167952
Time elapsed: 14 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\owner\Desktop\VLCSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.



C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\10\5b43c10a-2f776c0b multiple threats
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-41cb5788 probably a variant of Win32/Agent.HYOTECU trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\22\10dec256-7779507a multiple threats
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\26\407ef09a-7dbd7748 multiple threats
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\45\667bb02d-41505bfc multiple threats
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3fc4a15b probably a variant of Win32/Agent.JHBSDMY trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-6ee74d66 probably a variant of Win32/Agent.CUYEWCZ trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-6253f12d.zip probably a variant of Win32/Agent.HYOTECU trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7bdfd03e.zip probably a variant of Win32/Agent.CUYEWCZ trojan
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2691faf1.zip probably a variant of Win32/Agent.JHBSDMY trojan
C:\Documents and Settings\owner\My Documents\Downloaded Programs\Programs\VLCSetup.exe a variant of Win32/Adware.HotBar.H application
C:\Qoobox\Quarantine\C\Documents and Settings\owner\Application Data\411250F41135EE75A792B09056999482\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\owner\Local Settings\Application Data\{17127B0F-1113-4DD1-8701-2B6A59A4226C}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP907\A0123395.exe a variant of Win32/Adware.HotBar.H application
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP923\A0133630.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
File::
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\10\5b43c10a-2f776c0b
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-41cb5788 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\22\10dec256-7779507a 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\26\407ef09a-7dbd7748 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\45\667bb02d-41505bfc
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3fc4a15b
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-6ee74d66 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-6253f12d.zip 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7bdfd03e.zip 
C:\Documents and Settings\owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2691faf1.zip 
C:\Documents and Settings\owner\My Documents\Downloaded Programs\Programs\VLCSetup.exe 
Folder::
c:\windows\system32\%APPDATA%
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please advise how the computer is running now and if there are any outstanding issues
 

Bluefish44

Thread Starter
Joined
Dec 18, 2010
Messages
5
Thanks again for all your help Catbyte - So far so good, everything seems to be working better. One final question. I have uninstalled AVG 2011 per instructions from some of your previous posts. I think I read somewhere here on the forum that there was another alternative free Antivirus program that was recommended over AVG. Would you recommend AVG or should I\ go with something else? Also, Does my Java need some sort of updating?, it looks like alot of the bugs in my system were a result of Java.
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi

Yes, we're not quite done yet.

I recommend Microsoft Security essentials for an antivirus, it's excellent and free:

http://www.microsoft.com/security_essentials/



NEXT



Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 23 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 23 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u23 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top