Free Malware Removal Forum

[mmmarty]

My firefox and ie browsers want to keep opening new pages for different advertisers, and even if no browser is open, one will try to open and go to these sites. My computer was nearly unusable for browsing. The only way I have it partially under control is using malwarebytes to block dangerous sites. I have run updated versions of malewarebytes, spywaredoctor, mcafee, superantispyware deluxe, microsoft onecare, mcafee stingers, smitfraud, avg antirootkit, avast, combofix, and tdss killer. The tdss killer noted c:\windows\system32\drivers\atapi.sys infected by tdss rootkit, it said would be cured on reboot, but did not. I now have run hijackthis and here are my logs. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:27, on 4/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 00THotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6087.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8527 bytes

Uninstall list...
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
ALi AGP Driver 2.00
Alps Pointing-device Driver
AOL Uninstaller (Choose which Products to Remove)
Atheros Client Utility
avast! Free Antivirus
AVG Anti-Rootkit Free
Browser Defender 2.0.6.15
CCleaner
CD-Cover Editor v2.6
Drag'n Drop CD+DVD
DVD-RAM Driver
EVEREST Home Edition v2.20
GTK+ Runtime 2.6.9 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobster Utility 2.4.0
Mozilla Firefox (3.6.3)
MSN Music Assistant
Notebook Maximizer
OGA Notifier 2.0.0048.0
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
QuickTime
Realtek Fast Ethernet Adapter Driver
Registry First Aid
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoundMAX
Spyware Doctor 7.0
SUPERAntiSpyware Free Edition
SurfHere by Toshiba
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
Toshiba Hotkey Utility for Display Devices
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
Toshiba Tbiosdrv Driver
TOSHIBA Utilities
Uninstall Startup Inspector
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB-IrDA Adapter
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Toolbar

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[deltalima]

Hi mmmarty,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

multiple Anti Virus programs

• It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
  

  McAfee SecurityCenter
  avast! Free Antivirus

• Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
• Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  
  
• Please remove one of them.

You also have several other antimalware programs installed, I would recommend you also remove
Spyware Doctor 7.0
SUPERAntiSpyware Free Edition

And keep Malwarebytes' Anti-Malware

Please reboot and then post a new HijackThis log.

[mmmarty]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:08, on 4/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 00THotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6087.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\PEV.cfxxe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6079 bytes

[deltalima]

Hi mmmarty,

This looks like a variant of TDSS so we may need to do several scans to gather the information we need.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Run Gmer again and click on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

[mmmarty]

I don't know if it's pertinent, but I bought this used unit last year and don't know the history. It also would often give me script errors while browsing.

OTL logfile created on: 4/20/2010 2:25:31 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 41.69 Gb Free Space | 74.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 29.41 Mb Total Space | 23.34 Mb Free Space | 79.35% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Mobster Utility\MobsterUtility.exe (Mobster Utility)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)


========== Win32 Services (SafeList) ==========

SRV - (PEVSystemStart) -- File not found
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (ALWIL Software)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (HidServ) -- c:\WINDOWS\ServicePackFiles\i386\hidserv.dll (Microsoft Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (DVD-RAM_Service) -- C:\WINDOWS\system32\DVDRAMSV.exe (Matsushita Electric Industrial Co., Ltd.)
SRV - (Pml Driver HPH11) -- C:\WINDOWS\system32\hphipm11.exe (HP)
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)


========== Driver Services (SafeList) ==========

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (AVG Anti-Rootkit) -- C:\WINDOWS\System32\DRIVERS\avgarkt.sys (GRISOFT, s.r.o.)
DRV - (AvgArCln) -- C:\WINDOWS\system32\drivers\AvgArCln.sys (GRISOFT, s.r.o.)
DRV - (Sus2pl) -- C:\WINDOWS\system32\drivers\sus2pl.sys (Susteen)
DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
DRV - (tridxp) -- C:\WINDOWS\system32\drivers\tridxpm.sys (Trident Microsystems Inc.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (pciSd) -- C:\WINDOWS\system32\drivers\tossdpci.sys (TOSHIBA)
DRV - (tsdhd) -- C:\WINDOWS\system32\drivers\tsdhd.sys (TOSHIBA Corporation)
DRV - (meiudf) -- C:\WINDOWS\system32\drivers\meiudf.sys (Matsushita Electric Industrial Co.,Ltd.)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (ALiAGP) -- C:\WINDOWS\System32\DRIVERS\ALiAGP.sys (ALi Corporation.)
DRV - (AliIde) -- C:\WINDOWS\System32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (aliadwdm) -- C:\WINDOWS\system32\drivers\ac97ali.sys (Acer Laboratories Inc.)
DRV - (wlluc48) -- C:\WINDOWS\system32\drivers\wlluc48.sys (Lucent Technologies)
DRV - (wlags48b) -- C:\WINDOWS\system32\drivers\wlags48b.sys (Agere Systems)
DRV - (TVALD) -- C:\WINDOWS\System32\DRIVERS\TVALD.SYS (Toshiba Corporation)
DRV - (Dot4 HPH11) -- C:\WINDOWS\system32\drivers\hphid411.sys (HP)
DRV - (Dot4Usb HPH11) -- C:\WINDOWS\system32\drivers\hphius11.sys (HP)
DRV - (Dot4Print HPH11) -- C:\WINDOWS\system32\drivers\hphipr11.sys (HP)
DRV - (TBiosDrv) -- C:\WINDOWS\system32\drivers\Tbiosdrv.sys ()
DRV - (ALiIRDA) -- C:\WINDOWS\system32\drivers\aliirda.sys (Acer Laboratories Inc.)
DRV - (STIrUsb) -- C:\WINDOWS\system32\drivers\stirusb.sys (SigmaTel, Inc.)
DRV - (TVALG) -- C:\WINDOWS\System32\DRIVERS\TVALG.SYS (TOSHIBA Corporation)
DRV - (EUSBMSD) -- C:\WINDOWS\system32\drivers\EUSBMSD.SYS (SCM Microsystems Inc.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation )


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
IE - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.myspace.com/index.cfm?fuseaction=splash"
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.63
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1,localhost"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 23:59:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/10 14:25:51 | 000,000,000 | ---D | M]

[2000/01/01 15:29:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/04/26 12:04:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\33hd637r.default\extensions
[2010/04/24 13:08:37 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\33hd637r.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2006/05/10 14:20:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/04/23 09:15:54 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe (TOSHIBA Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\00THotkey.exe (TOSHIBA Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O15 - HKU\S-1-5-21-1548733862-258382887-3402832025-1004\..Trusted Domains: live.com ([onecare] http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} http://download.ebay.com/turbo_lister/US/install.cab (Reg Error: Key error.)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/share ... insctl.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resour ... se6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx (Get_ActiveX Control)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/share ... cgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinsta ... s-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/sh ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://c:\WINDOWS\I386\DAJAVA.CAB (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://c:\WINDOWS\I386\XMLDSO.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/08/11 16:16:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/24 21:18:24 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/24 21:17:55 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2010/04/24 20:35:54 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/04/23 09:02:28 | 000,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2010/04/23 09:02:28 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2010/04/23 09:02:28 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2010/04/23 09:02:28 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2010/04/23 09:02:28 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2010/04/23 09:02:28 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2010/04/23 09:02:28 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2010/04/23 09:02:27 | 000,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2010/04/23 09:02:27 | 000,135,168 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swreg.exe
[2010/04/23 09:02:27 | 000,079,360 | ---- | C] (SteelWerX) -- C:\WINDOWS\System32\swxcacls.exe
[2010/04/23 09:02:27 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2010/04/23 09:00:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix
[2010/04/23 07:30:40 | 000,003,968 | ---- | C] (GRISOFT, s.r.o.) -- C:\WINDOWS\System32\drivers\AvgArCln.sys
[2010/04/23 07:30:37 | 000,000,000 | ---D | C] -- C:\Program Files\GRISOFT
[2010/04/23 03:02:46 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/04/23 02:46:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/22 01:09:31 | 002,189,319 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger.exe
[2010/04/22 01:09:14 | 007,975,431 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger1010838.exe
[2010/04/21 23:41:30 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/04/20 14:24:36 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/20 12:41:47 | 005,918,776 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup(2).exe
[2010/04/20 03:03:35 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/04/20 01:57:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Threat Expert
[2010/04/20 01:37:54 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/04/20 01:34:54 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/20 01:33:36 | 034,595,048 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Owner\Desktop\7.0.0.538f-sdsetup.exe
[2010/04/11 23:55:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/11 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/11 22:07:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/11 22:06:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/04/11 22:06:50 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/10 11:47:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/04/10 11:45:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/04/09 04:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/24 20:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Startup
[2010/03/24 17:07:53 | 000,882,166 | ---- | C] (Mobster Utility ) -- C:\Documents and Settings\Owner\Desktop\mu-setup(2).exe
[2009/12/06 13:42:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/16 01:12:29 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/10/31 16:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/09/24 22:27:43 | 003,605,496 | ---- | C] (Webroot Software, Inc. ) -- C:\Program Files\sspsetup648_1761680631.exe
[2004/08/20 23:42:12 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/07/29 11:09:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[1998/12/08 21:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 21:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 21:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 21:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 21:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 21:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/26 13:50:42 | 000,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) -- C:\WINDOWS\System32\dllcache\dmload.sys
[2010/04/24 21:18:24 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/04/24 21:17:54 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
[2010/04/24 20:36:29 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/04/23 09:16:03 | 000,001,046 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/23 08:57:04 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[2010/04/23 07:30:41 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Anti-Rootkit Free.lnk
[2010/04/23 00:15:12 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/22 20:49:32 | 000,000,069 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\stinger.opt
[2010/04/22 11:02:05 | 000,000,017 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\stinger1010838.opt
[2010/04/22 01:09:31 | 002,189,319 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger.exe
[2010/04/22 01:09:20 | 007,975,431 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Owner\Desktop\stinger1010838.exe
[2010/04/21 01:03:09 | 000,000,354 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\fix.reg
[2010/04/20 14:24:33 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/04/20 12:41:53 | 005,918,776 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup(2).exe
[2010/04/20 12:27:19 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
[2010/04/20 12:00:00 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\mjfyjghy.job
[2010/04/20 11:01:10 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/20 11:00:56 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/04/20 11:00:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/20 11:00:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/20 10:59:56 | 003,670,016 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/04/20 10:59:56 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/20 10:59:49 | 005,559,122 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/04/20 01:34:22 | 034,595,048 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Owner\Desktop\7.0.0.538f-sdsetup.exe
[2010/04/20 01:30:42 | 000,001,376 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1nsO3pTQCOnL
[2010/04/14 11:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 11:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 11:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 11:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 11:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 11:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 11:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 11:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 11:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/11 22:03:46 | 007,899,168 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\SUPERAntiSpyware.exe
[2010/04/10 15:28:47 | 000,000,634 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry First Aid.lnk
[2010/04/10 14:16:31 | 000,011,596 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\N8NHc
[2010/04/10 13:28:17 | 000,011,660 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1668752224
[2010/04/10 13:24:02 | 000,011,660 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\284374023
[2010/04/10 13:24:02 | 000,011,660 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\1668752224
[2010/04/10 13:23:45 | 000,011,656 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\N8NHc
[2010/04/10 13:23:45 | 000,011,656 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\284374023
[2010/04/10 01:14:03 | 000,000,185 | ---- | M] () -- C:\WINDOWS\mdm.ini
[2010/04/07 19:33:23 | 000,003,425 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Flyer.rtf
[2010/04/07 19:32:24 | 000,007,680 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Thumbs(2).db
[2010/04/07 19:32:20 | 000,325,712 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\nosubjec(2)
[2010/04/07 19:32:11 | 000,046,199 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\nosubjec
[2010/04/07 19:31:03 | 000,000,757 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Flyer.doc
[2010/04/07 19:26:27 | 000,044,319 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AutoIDCards.pdf
[2010/04/07 12:34:20 | 002,359,350 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\kerri.bmp
[2010/04/05 20:02:45 | 000,057,646 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Bacon!.jpg
[2010/04/03 11:03:05 | 000,260,704 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\me.jpg
[2010/03/31 19:38:34 | 001,513,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\461700-ms6170-0602 tractor engine.pdf
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/25 12:59:08 | 001,496,399 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\TGTC_XP_4.3.zip
[2010/03/24 17:08:16 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MobsterUtility.lnk
[2010/03/24 17:07:51 | 000,882,166 | ---- | M] (Mobster Utility ) -- C:\Documents and Settings\Owner\Desktop\mu-setup(2).exe
[2010/03/22 10:43:00 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/24 21:18:24 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2010/04/24 20:36:31 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/04/23 09:04:08 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/23 09:02:28 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2010/04/23 09:02:27 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2010/04/23 09:02:27 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\swsc.exe
[2010/04/23 09:00:11 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[2010/04/23 07:30:41 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Anti-Rootkit Free.lnk
[2010/04/22 11:21:56 | 000,000,069 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\stinger.opt
[2010/04/22 01:29:19 | 000,000,017 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\stinger1010838.opt
[2010/04/21 01:03:09 | 000,000,354 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\fix.reg
[2010/04/20 01:37:56 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/04/20 01:30:42 | 000,001,376 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\1nsO3pTQCOnL
[2010/04/11 23:56:08 | 000,001,376 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1nsO3pTQCOnL
[2010/04/11 23:56:08 | 000,001,028 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\1nsO3pTQCOnL
[2010/04/11 22:03:34 | 007,899,168 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\SUPERAntiSpyware.exe
[2010/04/10 13:28:15 | 000,011,660 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\1668752224
[2010/04/10 13:24:00 | 000,011,660 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\284374023
[2010/04/10 13:24:00 | 000,011,660 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1668752224
[2010/04/10 13:23:32 | 000,011,656 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\N8NHc
[2010/04/10 13:23:32 | 000,011,656 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\284374023
[2010/04/10 13:15:41 | 000,011,596 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\N8NHc
[2010/04/10 13:15:41 | 000,011,596 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\N8NHc
[2010/04/07 19:33:23 | 000,003,425 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Flyer.rtf
[2010/04/07 19:32:26 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Thumbs(2).db
[2010/04/07 19:32:22 | 000,325,712 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\nosubjec(2)
[2010/04/07 19:32:16 | 000,046,199 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\nosubjec
[2010/04/07 19:31:08 | 000,000,757 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Flyer.doc
[2010/04/07 19:26:31 | 000,044,319 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AutoIDCards.pdf
[2010/04/07 12:33:50 | 002,359,350 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\kerri.bmp
[2010/04/05 20:03:12 | 000,057,646 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Bacon!.jpg
[2010/04/03 11:03:04 | 000,260,704 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\me.jpg
[2010/03/31 19:38:34 | 001,513,024 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\461700-ms6170-0602 tractor engine.pdf
[2010/03/25 12:59:11 | 001,496,399 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\TGTC_XP_4.3.zip
[2010/01/09 23:56:49 | 003,670,016 | ---- | C] () -- C:\Documents and Settings\Owner\ntuser.dat
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2006/11/15 00:50:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\.gtk-bookmarks
[2006/09/28 18:49:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/08/06 13:19:35 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/05/18 23:55:42 | 000,001,367 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/27 20:23:49 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2005/07/09 22:56:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/04/28 00:35:01 | 000,000,000 | R--- | C] () -- C:\WINDOWS\System32\svconfig.ini
[2004/10/02 00:49:57 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/10 00:46:23 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2004/08/10 00:46:21 | 000,000,149 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2004/07/10 21:55:38 | 000,252,416 | ---- | C] () -- C:\WINDOWS\System32\wsiShared.dll
[2004/06/26 21:18:50 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2004/06/23 20:30:18 | 000,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2004/06/23 20:12:29 | 000,000,062 | ---- | C] () -- C:\WINDOWS\DpxCalendar.INI
[2004/06/23 16:10:16 | 000,000,072 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/05/09 19:33:12 | 000,000,344 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2004/03/21 00:38:00 | 000,000,020 | ---- | C] () -- C:\WINDOWS\DPilot.INI
[2004/03/07 12:42:06 | 000,198,144 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2004/03/06 20:12:13 | 000,000,339 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/03/06 19:55:57 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2004/03/06 19:26:24 | 000,000,214 | ---- | C] () -- C:\WINDOWS\hpfaxset.ini
[2004/03/06 17:48:59 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2004/03/06 17:48:32 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\swft32.dll
[2004/03/06 17:48:32 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\fort32.dll
[2004/03/06 17:47:36 | 000,000,129 | ---- | C] () -- C:\WINDOWS\UPSWSHIP.INI
[2004/03/05 23:49:12 | 000,051,712 | ---- | C] () -- C:\WINDOWS\wc98pp.dll
[2004/02/16 02:30:10 | 000,176,881 | ---- | C] () -- C:\Documents and Settings\Owner\~
[2004/02/11 19:31:22 | 000,000,494 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/11 19:31:21 | 000,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2004/02/11 19:31:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2004/01/28 14:55:25 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2004/01/28 14:55:25 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2004/01/28 14:55:08 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2004/01/28 14:55:08 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2004/01/28 14:54:58 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/01/28 14:54:57 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2003/08/13 11:00:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/08/11 18:15:57 | 000,001,532 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/08/11 18:05:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2003/08/11 18:05:06 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/08/11 18:04:49 | 000,000,608 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/08/11 17:51:55 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.ini
[2003/08/11 17:28:41 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2003/08/11 17:28:41 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2003/08/11 17:28:41 | 000,009,149 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2003/08/11 17:28:41 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2003/08/11 17:19:42 | 000,006,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\Tbiosdrv.sys
[2003/08/11 16:34:13 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/08/11 16:20:08 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/08/11 16:12:38 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/08/11 15:48:24 | 000,000,382 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/24 18:32:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\TVCtrl.dll
[2003/04/24 18:32:36 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\Multview.dll
[2003/04/24 18:32:12 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\LCDCtrl.dll
[2003/04/24 18:31:48 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\GenCtrl.dll
[2003/04/24 18:31:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CRTCtrl.dll
[2003/04/24 18:31:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ColorCtr.dll
[2002/11/22 14:50:06 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[2000/01/01 04:39:49 | 000,000,000 | R--- | C] () -- C:\WINDOWS\System32\RCCustomSetup.ini
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

OTL Extras logfile created on: 4/20/2010 2:25:31 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 41.69 Gb Free Space | 74.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 29.41 Mb Total Space | 23.34 Mb Free Space | 79.35% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] --

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}" = USB-IrDA Adapter
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}" = TOSHIBA Console
"{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}" = TOSHIBA SD Memory Card Format
"{76E46F23-8DFB-4993-895E-80D95FEE6E86}" = Atheros Client Utility
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = Realtek Fast Ethernet Adapter Driver
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device Driver
"{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}" = TOSHIBA Controls
"{A962C8E1-4F0B-4BA9-806E-B8D9A3B31F82}" = SurfHere by Toshiba
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{DDC146FA-73E0-4FA1-A353-841EA14BF600}" = Drag'n Drop CD+DVD
"{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector
"{EC16B64A-38A7-4D7D-BA2E-671ED441304F}" = ALi AGP Driver 2.00
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"avast5" = avast! Free Antivirus
"AVGantiRootkit" = AVG Anti-Rootkit Free
"CCleaner" = CCleaner
"CD-Cover Editor_is1" = CD-Cover Editor v2.6
"EVEREST Home Edition_is1" = EVEREST Home Edition v2.20
"GTK 2.0" = GTK+ Runtime 2.6.9 rev a (remove only)
"HijackThis" = HijackThis 2.0.2
"hphuni04" = Photosmart 130,230,7150,7345,7350,7550 (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mobster Utility_is1" = Mobster Utility 2.4.0
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notebook_Maximizer" = Notebook Maximizer
"Recover My Files_is1" = Recover My Files
"Registry First Aid_is1" = Registry First Aid
"ShockwaveFlash" = Macromedia Flash Player 8
"TFNF5" = Toshiba Hotkey Utility for Display Devices
"TOSHIBA Access" = TOSHIBA Access
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"TOSHIBA Software Upgrades" = TOSHIBA Software Upgrades
"Toshiba Tbiosdrv Driver" = Toshiba Tbiosdrv Driver
"TOSHIBA Utilities" = TOSHIBA Utilities
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1548733862-258382887-3402832025-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 1/29/2010 11:44:41 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:45:01 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:45:12 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:57:31 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:58:02 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:58:27 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 11:58:39 AM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 12:13:52 PM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 12:14:03 PM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

Error - 1/29/2010 7:37:43 PM | Computer Name = TOSHIBA-USER | Source = avast! | ID = 33554522
Description =

[ Application Events ]
Error - 4/19/2010 11:50:54 AM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 11:55:55 AM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:00:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:05:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:10:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:15:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:20:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:25:55 PM | Computer Name = TOSHIBA-USER | Source = Automatic LiveUpdate Scheduler | ID = 101
Description = Information Level: error Internet connection not detected.

Error - 4/19/2010 12:31:25 PM | Computer Name = TOSHIBA-USER | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1241, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/20/2010 11:43:57 AM | Computer Name = TOSHIBA-USER | Source = MsiInstaller | ID = 11704
Description = Product: SUPERAntiSpyware Free Edition -- Error 1704. An installation
for Microsoft Office 2000 Professional is currently suspended. You must undo the
changes made by that installation to continue. Do you want to undo those changes?

[ System Events ]
Error - 4/26/2010 2:49:03 PM | Computer Name = TOSHIBA-USER | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 4/26/2010 11:24:06 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 4/26/2010 11:24:06 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the SoundMAX Agent Service
service to connect.

Error - 4/26/2010 11:24:06 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7000
Description = The SoundMAX Agent Service service failed to start due to the following
error: %%1053

Error - 4/26/2010 11:24:38 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 4/26/2010 11:25:38 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the McAfee Real-time Scanner service,
but this action failed with the following error: %%1056

Error - 4/19/2010 12:34:49 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 4/20/2010 11:44:09 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7000
Description = The SASDIFSV service failed to start due to the following error: %%183

Error - 4/20/2010 11:54:50 AM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 4/20/2010 12:01:02 PM | Computer Name = TOSHIBA-USER | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747


< End of report >


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-20 15:56:06
Windows 5.1.2600 Service Pack 3
Running: couw216p.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwriyfob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB5869C08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5869AC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB586A078]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5869FA2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB586969A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB5869B9E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB58695DA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB586963E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB5869CBE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB586A146]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB5869C7E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB5869DFE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB587650A]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB587632E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB5876468]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B587397E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B5876332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B587650E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP B58724AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP B587646C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2564] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[464] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[464] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs AFDAC400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 10
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

[deltalima]

Hi mmmarty,

You have already run Combofix and so should have the Recovery Console installed, if not let me know and I will give instructions.

Please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.

As soon as the computer starts there will be a black screen with white writing displayed for a few seconds.

On this screen there will be the options to boot Microsoft Windows XP or
Microsoft Windows Recovery Console

Use the cursor keys to select Microsoft Windows Recovery Console then press enter.

Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat



You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post the log produced, C:\looklog.txt

[mmmarty]

Code: Select all

Run from C:\Documents and Settings\Owner\Desktop\maxlook.exe on Wed 04/21/2010 at  7:02:38.75

--------- maxlook unsigned files ---------

c:\windows\maxdriver\AvgArCln.sys:
	Verified:	Unsigned
	File date:	07:00 1/18/2007
	Publisher:	GRISOFT, s.r.o.
	Description:	AVG7 Clean Driver
	Product:	AVG7 Clean Driver
	Version:	1.0.0.14
	File version:	1.0.0.14
c:\windows\maxdriver\avgarkt.sys:
	Verified:	Unsigned
	File date:	08:33 1/31/2007
	Publisher:	GRISOFT, s.r.o.
	Description:	AVG Anti-Rootkit Driver
	Product:	AVG Anti-Rootkit
	Version:	1.0.0.13
	File version:	1.0.0.13
c:\windows\maxdriver\mdc8021x.sys:
	Verified:	Unsigned
	File date:	14:54 1/28/2004
	Publisher:	Meetinghouse Data Communications
	Description:	IEEE 802.1X Protocol Driver
	Product:	AEGIS Client 2.2
	Version:	2.2.0.0
	File version:	2,2,0,0
c:\windows\maxdriver\meiudf.sys:
	Verified:	Unsigned
	File date:	19:45 1/31/2003
	Publisher:	Matsushita Electric Industrial Co.,Ltd.
	Description:	DVD-RAM UDF File System Driver
	Product:	n/a
	Version:	n/a
	File version:	3.0.8.0
c:\windows\maxdriver\pxhelp20.sys:
	Verified:	Unsigned
	File date:	04:02 11/27/2002
	Publisher:	VERITAS Software, Inc.
	Description:	PxHelper Device Driver for Windows 2000
	Product:	PxHelp20
	Version:	n/a
	File version:	2.02.44a
c:\windows\maxdriver\R8139n51.sys:
	Verified:	Unsigned
	File date:	12:04 10/4/2002
	Publisher:	Realtek Semiconductor Corporation       
	Description:	Realtek RTL8139/810x Family NDIS 5.1 Drv
	Product:	Realtek RTL8139/810x Family Fast Ethernet NIC               
	Version:	5.505.1004.2002
	File version:	5.505.1004.2002 built by: WinDDK
c:\windows\maxdriver\RTL8139.sys:
	Verified:	Unsigned
	File date:	07:12 8/17/2001
	Publisher:	Realtek Semiconductor Corporation                                                
	Description:	NDIS 5.0 driver                                                                  
	Product:	Realtek RTL8139 Family Based Fast Ethernet Adapter                          
	Version:	5.396.0530.2001
	File version:	5.396.0530.2001
c:\windows\maxdriver\stirusb.sys:
	Verified:	Unsigned
	File date:	13:07 9/24/2001
	Publisher:	SigmaTel, Inc.
	Description:	NDIS 5.0 USB Infra-Red Driver
	Product:	SigmaTel STIr
	Version:	1.0.0.0
	File version:	1, 26, 0, 0
c:\windows\maxdriver\sus2pl.sys:
	Verified:	Unsigned
	File date:	17:33 3/31/2004
	Publisher:	Susteen
	Description:	Susteen USB-Serial Port Driver
	Product:	Susteen Universal Cable II
	Version:	2.0.0.25
	File version:	2.0.0.25
c:\windows\maxdriver\Tbiosdrv.sys:
	Verified:	Unsigned
	File date:	16:43 1/24/2002
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\maxdriver\tsdhd.sys:
	Verified:	Unsigned
	File date:	19:27 2/10/2003
	Publisher:	TOSHIBA Corporation
	Description:	SD Card Host Controller Driver
	Product:	SD Card Driver Set
	Version:	2, 0, 2, 0
	File version:	2, 0, 2, 30210
c:\windows\maxdriver\TVALD.SYS:
	Verified:	Unsigned
	File date:	23:53 6/20/2002
	Publisher:	Toshiba Corporation
	Description:	Toshiba ACPI-Based Value Added Logical Device Driver
	Product:	Toshiba ACPI-Compliant Value Added Logical Device
	Version:	V2, 0, 1
	File version:	V2, 0,1
c:\windows\maxdriver\TVALG.SYS:
	Verified:	Unsigned
	File date:	19:53 9/13/2001
	Publisher:	TOSHIBA Corporation
	Description:	TOSHIBA Value Added Logical and General Purpose Device Driver
	Product:	TOSHIBA Value Added Logical and General Purpose Device Driver
	Version:	2, 0, 0, 7
	File version:	2, 0, 0, 7

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\AvgArCln.sys:
	Verified:	Unsigned
	File date:	07:00 1/18/2007
	Publisher:	GRISOFT, s.r.o.
	Description:	AVG7 Clean Driver
	Product:	AVG7 Clean Driver
	Version:	1.0.0.14
	File version:	1.0.0.14
c:\windows\system32\drivers\avgarkt.sys:
	Verified:	Unsigned
	File date:	08:33 1/31/2007
	Publisher:	GRISOFT, s.r.o.
	Description:	AVG Anti-Rootkit Driver
	Product:	AVG Anti-Rootkit
	Version:	1.0.0.13
	File version:	1.0.0.13
c:\windows\system32\drivers\mdc8021x.sys:
	Verified:	Unsigned
	File date:	14:54 1/28/2004
	Publisher:	Meetinghouse Data Communications
	Description:	IEEE 802.1X Protocol Driver
	Product:	AEGIS Client 2.2
	Version:	2.2.0.0
	File version:	2,2,0,0
c:\windows\system32\drivers\meiudf.sys:
	Verified:	Unsigned
	File date:	19:45 1/31/2003
	Publisher:	Matsushita Electric Industrial Co.,Ltd.
	Description:	DVD-RAM UDF File System Driver
	Product:	n/a
	Version:	n/a
	File version:	3.0.8.0
c:\windows\system32\drivers\pxhelp20.sys:
	Verified:	Unsigned
	File date:	04:02 11/27/2002
	Publisher:	VERITAS Software, Inc.
	Description:	PxHelper Device Driver for Windows 2000
	Product:	PxHelp20
	Version:	n/a
	File version:	2.02.44a
c:\windows\system32\drivers\R8139n51.sys:
	Verified:	Unsigned
	File date:	12:04 10/4/2002
	Publisher:	Realtek Semiconductor Corporation       
	Description:	Realtek RTL8139/810x Family NDIS 5.1 Drv
	Product:	Realtek RTL8139/810x Family Fast Ethernet NIC               
	Version:	5.505.1004.2002
	File version:	5.505.1004.2002 built by: WinDDK
c:\windows\system32\drivers\RTL8139.sys:
	Verified:	Unsigned
	File date:	07:12 8/17/2001
	Publisher:	Realtek Semiconductor Corporation                                                
	Description:	NDIS 5.0 driver                                                                  
	Product:	Realtek RTL8139 Family Based Fast Ethernet Adapter                          
	Version:	5.396.0530.2001
	File version:	5.396.0530.2001
c:\windows\system32\drivers\stirusb.sys:
	Verified:	Unsigned
	File date:	13:07 9/24/2001
	Publisher:	SigmaTel, Inc.
	Description:	NDIS 5.0 USB Infra-Red Driver
	Product:	SigmaTel STIr
	Version:	1.0.0.0
	File version:	1, 26, 0, 0
c:\windows\system32\drivers\sus2pl.sys:
	Verified:	Unsigned
	File date:	17:33 3/31/2004
	Publisher:	Susteen
	Description:	Susteen USB-Serial Port Driver
	Product:	Susteen Universal Cable II
	Version:	2.0.0.25
	File version:	2.0.0.25
c:\windows\system32\drivers\Tbiosdrv.sys:
	Verified:	Unsigned
	File date:	16:43 1/24/2002
	Publisher:	n/a
	Description:	n/a
	Product:	n/a
	Version:	n/a
	File version:	n/a
c:\windows\system32\drivers\tsdhd.sys:
	Verified:	Unsigned
	File date:	19:27 2/10/2003
	Publisher:	TOSHIBA Corporation
	Description:	SD Card Host Controller Driver
	Product:	SD Card Driver Set
	Version:	2, 0, 2, 0
	File version:	2, 0, 2, 30210
c:\windows\system32\drivers\TVALD.SYS:
	Verified:	Unsigned
	File date:	23:53 6/20/2002
	Publisher:	Toshiba Corporation
	Description:	Toshiba ACPI-Based Value Added Logical Device Driver
	Product:	Toshiba ACPI-Compliant Value Added Logical Device
	Version:	V2, 0, 1
	File version:	V2, 0,1
c:\windows\system32\drivers\TVALG.SYS:
	Verified:	Unsigned
	File date:	19:53 9/13/2001
	Publisher:	TOSHIBA Corporation
	Description:	TOSHIBA Value Added Logical and General Purpose Device Driver
	Product:	TOSHIBA Value Added Logical and General Purpose Device Driver
	Version:	2, 0, 0, 7
	File version:	2, 0, 0, 7

[deltalima]

Hi mmmarty,

Go to start, run an copy/paste the following, then press Enter

maxlook –cleanup

Now please run another TDSSKiller scan as follows

TDSSKiller

• Download the file TDSSKiller.zip and save it on your desktop
• Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
• Next double-click the tdsskiller Folder on your desktop.
• Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
• Highlight and copy the text in the codebox below.
  

  Code: Select all

  "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"

• Click Start, click Run... and paste the text above into the Open: line and click OK.
• Wait for the scan and disinfection process to be over.
• Open tdskiller.txt on your desktop and post the contents in your next reply

Please Download Kenco.exe by jpshortstuff and save it to your Desktop.

• Close all other programs before executing!.
• Double click Kenco.exe, to begin execution. Scan should only take a few minutes.
• When finished, the log file " Kenco.log" will open in Notepad.
• It will also be saved in the same location as Kenco.exe which should be on your desktop.
• Please post the contents of that log in your next reply.

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

• Double-Click on dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear:
  
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply along with the TDSSKiller log and the kenco log.

[mmmarty]

12:36:38:457 1220 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:36:38:457 1220 ================================================================================
12:36:38:457 1220 SystemInfo:

12:36:38:457 1220 OS Version: 5.1.2600 ServicePack: 3.0
12:36:38:457 1220 Product type: Workstation
12:36:38:457 1220 ComputerName: TOSHIBA-USER
12:36:38:457 1220 UserName: Owner
12:36:38:457 1220 Windows directory: C:\WINDOWS
12:36:38:457 1220 Processor architecture: Intel x86
12:36:38:457 1220 Number of processors: 1
12:36:38:457 1220 Page size: 0x1000
12:36:38:457 1220 Boot type: Normal boot
12:36:38:457 1220 ================================================================================
12:36:38:477 1220 UnloadDriverW: NtUnloadDriver error 2
12:36:38:477 1220 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:36:38:557 1220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:36:38:557 1220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:36:38:557 1220 wfopen_ex: Trying to KLMD file open
12:36:38:557 1220 wfopen_ex: File opened ok (Flags 2)
12:36:38:557 1220 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:36:38:557 1220 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:36:38:557 1220 wfopen_ex: Trying to KLMD file open
12:36:38:557 1220 wfopen_ex: File opened ok (Flags 2)
12:36:38:557 1220 Initialize success
12:36:38:557 1220
12:36:38:557 1220 Scanning Services ...
12:36:39:037 1220 Raw services enum returned 327 services
12:36:39:047 1220
12:36:39:047 1220 Scanning Kernel memory ...
12:36:39:047 1220 Devices to scan: 4
12:36:39:047 1220
12:36:39:047 1220 Driver Name: Disk
12:36:39:047 1220 IRP_MJ_CREATE : F763DBB0
12:36:39:047 1220 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:36:39:047 1220 IRP_MJ_CLOSE : F763DBB0
12:36:39:047 1220 IRP_MJ_READ : F7637D1F
12:36:39:047 1220 IRP_MJ_WRITE : F7637D1F
12:36:39:047 1220 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:36:39:047 1220 IRP_MJ_SET_INFORMATION : 804FA88E
12:36:39:047 1220 IRP_MJ_QUERY_EA : 804FA88E
12:36:39:047 1220 IRP_MJ_SET_EA : 804FA88E
12:36:39:047 1220 IRP_MJ_FLUSH_BUFFERS : F76382E2
12:36:39:047 1220 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:36:39:047 1220 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:36:39:047 1220 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:36:39:047 1220 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:36:39:047 1220 IRP_MJ_DEVICE_CONTROL : F76383BB
12:36:39:047 1220 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
12:36:39:047 1220 IRP_MJ_SHUTDOWN : F76382E2
12:36:39:047 1220 IRP_MJ_LOCK_CONTROL : 804FA88E
12:36:39:047 1220 IRP_MJ_CLEANUP : 804FA88E
12:36:39:047 1220 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:36:39:047 1220 IRP_MJ_QUERY_SECURITY : 804FA88E
12:36:39:047 1220 IRP_MJ_SET_SECURITY : 804FA88E
12:36:39:047 1220 IRP_MJ_POWER : F7639C82
12:36:39:047 1220 IRP_MJ_SYSTEM_CONTROL : F763E99E
12:36:39:047 1220 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:36:39:047 1220 IRP_MJ_QUERY_QUOTA : 804FA88E
12:36:39:047 1220 IRP_MJ_SET_QUOTA : 804FA88E
12:36:39:078 1220 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:36:39:078 1220
12:36:39:078 1220 Driver Name: pciSd
12:36:39:078 1220 IRP_MJ_CREATE : BA06144C
12:36:39:078 1220 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:36:39:078 1220 IRP_MJ_CLOSE : BA06144C
12:36:39:078 1220 IRP_MJ_READ : 804FA88E
12:36:39:078 1220 IRP_MJ_WRITE : 804FA88E
12:36:39:078 1220 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:36:39:078 1220 IRP_MJ_SET_INFORMATION : 804FA88E
12:36:39:078 1220 IRP_MJ_QUERY_EA : 804FA88E
12:36:39:078 1220 IRP_MJ_SET_EA : 804FA88E
12:36:39:078 1220 IRP_MJ_FLUSH_BUFFERS : 804FA88E
12:36:39:078 1220 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:36:39:078 1220 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:36:39:078 1220 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:36:39:078 1220 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:36:39:078 1220 IRP_MJ_DEVICE_CONTROL : BA06144C
12:36:39:078 1220 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA06144C
12:36:39:078 1220 IRP_MJ_SHUTDOWN : 804FA88E
12:36:39:078 1220 IRP_MJ_LOCK_CONTROL : 804FA88E
12:36:39:078 1220 IRP_MJ_CLEANUP : 804FA88E
12:36:39:078 1220 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:36:39:078 1220 IRP_MJ_QUERY_SECURITY : 804FA88E
12:36:39:078 1220 IRP_MJ_SET_SECURITY : 804FA88E
12:36:39:078 1220 IRP_MJ_POWER : BA06144C
12:36:39:078 1220 IRP_MJ_SYSTEM_CONTROL : BA06144C
12:36:39:078 1220 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:36:39:078 1220 IRP_MJ_QUERY_QUOTA : 804FA88E
12:36:39:078 1220 IRP_MJ_SET_QUOTA : 804FA88E
12:36:39:088 1220 C:\WINDOWS\system32\DRIVERS\tossdpci.sys - Verdict: 1
12:36:39:088 1220
12:36:39:088 1220 Driver Name: Disk
12:36:39:088 1220 IRP_MJ_CREATE : F763DBB0
12:36:39:088 1220 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:36:39:088 1220 IRP_MJ_CLOSE : F763DBB0
12:36:39:088 1220 IRP_MJ_READ : F7637D1F
12:36:39:088 1220 IRP_MJ_WRITE : F7637D1F
12:36:39:088 1220 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:36:39:088 1220 IRP_MJ_SET_INFORMATION : 804FA88E
12:36:39:088 1220 IRP_MJ_QUERY_EA : 804FA88E
12:36:39:088 1220 IRP_MJ_SET_EA : 804FA88E
12:36:39:088 1220 IRP_MJ_FLUSH_BUFFERS : F76382E2
12:36:39:088 1220 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:36:39:088 1220 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:36:39:088 1220 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:36:39:088 1220 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:36:39:088 1220 IRP_MJ_DEVICE_CONTROL : F76383BB
12:36:39:088 1220 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
12:36:39:088 1220 IRP_MJ_SHUTDOWN : F76382E2
12:36:39:088 1220 IRP_MJ_LOCK_CONTROL : 804FA88E
12:36:39:088 1220 IRP_MJ_CLEANUP : 804FA88E
12:36:39:088 1220 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:36:39:088 1220 IRP_MJ_QUERY_SECURITY : 804FA88E
12:36:39:088 1220 IRP_MJ_SET_SECURITY : 804FA88E
12:36:39:088 1220 IRP_MJ_POWER : F7639C82
12:36:39:088 1220 IRP_MJ_SYSTEM_CONTROL : F763E99E
12:36:39:088 1220 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:36:39:088 1220 IRP_MJ_QUERY_QUOTA : 804FA88E
12:36:39:088 1220 IRP_MJ_SET_QUOTA : 804FA88E
12:36:39:098 1220 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:36:39:098 1220
12:36:39:098 1220 Driver Name: atapi
12:36:39:098 1220 IRP_MJ_CREATE : F74866F2
12:36:39:098 1220 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:36:39:098 1220 IRP_MJ_CLOSE : F74866F2
12:36:39:098 1220 IRP_MJ_READ : 804FA88E
12:36:39:098 1220 IRP_MJ_WRITE : 804FA88E
12:36:39:098 1220 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:36:39:098 1220 IRP_MJ_SET_INFORMATION : 804FA88E
12:36:39:098 1220 IRP_MJ_QUERY_EA : 804FA88E
12:36:39:098 1220 IRP_MJ_SET_EA : 804FA88E
12:36:39:098 1220 IRP_MJ_FLUSH_BUFFERS : 804FA88E
12:36:39:098 1220 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:36:39:098 1220 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:36:39:098 1220 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:36:39:098 1220 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:36:39:098 1220 IRP_MJ_DEVICE_CONTROL : F7486712
12:36:39:098 1220 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7482852
12:36:39:098 1220 IRP_MJ_SHUTDOWN : 804FA88E
12:36:39:098 1220 IRP_MJ_LOCK_CONTROL : 804FA88E
12:36:39:098 1220 IRP_MJ_CLEANUP : 804FA88E
12:36:39:098 1220 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:36:39:098 1220 IRP_MJ_QUERY_SECURITY : 804FA88E
12:36:39:098 1220 IRP_MJ_SET_SECURITY : 804FA88E
12:36:39:098 1220 IRP_MJ_POWER : F748673C
12:36:39:098 1220 IRP_MJ_SYSTEM_CONTROL : F748D336
12:36:39:098 1220 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:36:39:098 1220 IRP_MJ_QUERY_QUOTA : 804FA88E
12:36:39:098 1220 IRP_MJ_SET_QUOTA : 804FA88E
12:36:39:118 1220 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
12:36:39:118 1220
12:36:39:118 1220 Completed
12:36:39:118 1220
12:36:39:118 1220 Results:
12:36:39:118 1220 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:36:39:118 1220 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:36:39:118 1220 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:36:39:118 1220
12:36:39:118 1220 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:36:39:118 1220 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:36:39:708 1220 KLMD(ARK) unloaded successfully


Kenco by jpshortstuff (31.12.09.1)
Log created at 12:37 on 21/04/2010 (Owner)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
mjfyjghy.job -> [20:21 27/12/2009] 294 bytes
OGALogon.job -> [23:30 28/12/2009] 236 bytes

-=E.O.F=-



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 12:46:20.08 on Wed 04/21/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1587 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\00THotkey.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\00THotkey.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
Trusted Zone: live.com\onecare
DPF: DirectAnimation Java Classes - file://c:\windows\i386\DAJAVA.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\i386\XMLDSO.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resour ... se6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/share ... cgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/sh ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli rebawiza.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\33hd637r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/index.cfm?fuseaction=splash
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ALiAGP;ALi AGP Bus Filter Driver;c:\windows\system32\drivers\ALiAGP.SYS [2003-8-11 26880]
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-27 162768]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-4-23 3968]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-27 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-16 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-27 303952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-16 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-27 20824]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [2003-4-24 248448]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-4-23 261632]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2003-8-11 26112]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-5 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-5 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-5 40552]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-8-11 156672]

=============== Created Last 30 ================

2010-04-25 02:18:24 0 d-----w- c:\program files\Trend Micro
2010-04-23 14:04:08 1046 ----a-w- c:\windows\system32\tmp.reg
2010-04-23 12:30:40 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-23 08:02:46 0 d-s---w- C:\ComboFix
2010-04-21 12:02:37 220024 ----a-w- c:\windows\sigcheck.exe
2010-04-20 06:37:56 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-04-20 06:37:54 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-04-20 06:34:54 0 d-----w- c:\program files\Spyware Doctor
2010-04-12 03:07:40 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-12 03:06:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 03:06:50 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com

==================== Find3M ====================

2010-04-26 18:50:42 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-04-25 01:51:18 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 23:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2004-09-25 03:27:43 3605496 ----a-w- c:\program files\sspsetup648_1761680631.exe
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 12:47:09.24 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/28/2004 1:55:11 PM
System Uptime: 4/21/2010 11:04:59 AM (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | uFC-PGA Socket | 2657/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 41.663 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/23/2010 2:46:02 AM - System Checkpoint
RP2: 4/23/2010 3:00:37 AM - Software Distribution Service 3.0
RP3: 4/23/2010 3:10:11 AM - Registry First Aid backup
RP4: 4/23/2010 7:23:21 AM - Software Distribution Service 3.0
RP5: 4/24/2010 7:32:24 AM - System Checkpoint
RP6: 4/24/2010 8:42:49 PM - Registry First Aid backup
RP7: 4/19/2010 5:33:50 AM - System Checkpoint
RP8: 4/20/2010 5:39:11 AM - System Checkpoint
RP9: 4/20/2010 10:44:04 AM - Removed SUPERAntiSpyware Free Edition
RP10: 4/21/2010 11:20:40 AM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
ALi AGP Driver 2.00
Alps Pointing-device Driver
AOL Uninstaller (Choose which Products to Remove)
Atheros Client Utility
avast! Free Antivirus
AVG Anti-Rootkit Free
CCleaner
CD-Cover Editor v2.6
Drag'n Drop CD+DVD
DVD-RAM Driver
EVEREST Home Edition v2.20
GTK+ Runtime 2.6.9 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 6
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobster Utility 2.4.0
Mozilla Firefox (3.6.3)
MSN Music Assistant
Notebook Maximizer
OGA Notifier 2.0.0048.0
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
QuickTime
Realtek Fast Ethernet Adapter Driver
Recover My Files
Registry First Aid
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SoundMAX
SurfHere by Toshiba
TOSHIBA Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
Toshiba Hotkey Utility for Display Devices
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
Toshiba Tbiosdrv Driver
TOSHIBA Utilities
Uninstall Startup Inspector
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB-IrDA Adapter
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/26/2010 10:24:06 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SoundMAX Agent Service service to connect.
4/26/2010 10:24:06 PM, error: Service Control Manager [7000] - The SoundMAX Agent Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/26/2010 1:49:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\drivers\dmload.sys could not be copied into the DLL cache. The specific error code is 0x00000000 [The operation completed successfully. ]. This file is necessary to maintain system stability.
4/26/2010 1:35:46 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\dmload.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 2600.0.503.0.
4/24/2010 8:39:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/24/2010 12:42:08 PM, error: Print [6161] - The document i6198.pdf owned by Owner failed to print on printer HP OfficeJet R40. Data type: NT EMF 1.008. Size of the spool file in bytes: 589824. Number of bytes printed: 403132. Total number of pages in the document: 8. Number of pages printed: 1. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 0 (0x0).
4/23/2010 9:43:04 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/23/2010 7:20:58 AM, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 4 time(s).
4/23/2010 3:30:13 PM, error: Print [6161] - The document http://www.irs.gov/pub/irs-pdf/f1040sc.pdf owned by Owner failed to print on printer Auto HP OfficeJet R40 on OWNER-S36F7IEE7. Data type: NT EMF 1.008. Size of the spool file in bytes: 327680. Number of bytes printed: 0. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\TOSHIBA-USER. Win32 error code returned by the print processor: 53 (0x35).
4/23/2010 3:14:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
4/23/2010 3:14:00 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/23/2010 3:04:23 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Windows XP (KB981349).
4/23/2010 3:04:23 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Windows XP (KB980232).
4/23/2010 3:04:23 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Security Update for Windows XP (KB979683).
4/23/2010 3:03:48 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Security Update for Windows XP (KB978338).
4/23/2010 2:37:30 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
4/23/2010 2:37:12 AM, error: SRService [104] - The System Restore initialization process failed.
4/23/2010 2:20:49 AM, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s).
4/23/2010 1:31:27 AM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/21/2010 9:48:45 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0090966B2F79. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
4/21/2010 5:29:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
4/21/2010 5:28:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec mfehidk MPFP NetBT RasAcd SASDIFSV SASKUTIL Tcpip
4/21/2010 5:28:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2010 5:28:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2010 5:28:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2010 5:28:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
4/21/2010 5:28:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/21/2010 5:28:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/21/2010 5:00:15 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service, but this action failed with the following error: An instance of the service is already running.
4/21/2010 4:01:56 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
4/21/2010 4:01:52 AM, error: Service Control Manager [7034] - The Browser Defender Update Service service terminated unexpectedly. It has done this 1 time(s).
4/21/2010 4:01:47 AM, error: Service Control Manager [7034] - The DVD-RAM_Service service terminated unexpectedly. It has done this 1 time(s).
4/21/2010 3:59:52 AM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
4/20/2010 6:04:30 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/20/2010 6:04:13 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
4/20/2010 6:03:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
4/20/2010 6:03:39 PM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2010 2:13:30 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The authentication service is unknown.
4/20/2010 2:12:26 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/20/2010 2:12:26 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/20/2010 10:44:09 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.

==== End Of File ===========================

[deltalima]

Hi mmmarty,

There are signs that TDSS has been on the computer but there the system looks clear of TDSS now.

I am somewhat confused by the date and time stamps on some files, Kenco correctly shows today's date and yet some files show a modified date of 26/4/2010. Are you aware of system time having been recently corrected by several days?

Also please let me know if there have been any other changes / fixes to the system other than the scans that I have asked for, particularly if Combofix has been run again.

Please also let me know if the Browser Redirects are still happening.

[mmmarty]

Regarding the time, yes, I am aware. I read somewhere advancing the clock in some instances helped with certain malware. It had no effect, and I have since returned the clock to the proper date.
Since I have had you working with me, I have run no scanners, fixes, etc..., including combofix.
I have noticed at one point a sharp cutoff in redirects, and redirect attempts since working with you, with only perhaps two instances in the last couple days.
I was a bit surprised when running the TDSSkiller this last time as you instructed, to see no infection. I had run the program twice before engaging you, and both runs showed an infection (c:\windows\system32\drivers\atapi.sys infected by tdss rootkit) which said would be removed at next boot which were not.
If I have any instance of further redirect, I will post immediately.
It's my understanding this system has now been compromised and can no longer be trusted. Any thoughts on this?
Thanks you very VERY much for your time. MMMarty.

[deltalima]

Hi mmmarty,

Regarding the time, yes, I am aware. I read somewhere advancing the clock in some instances helped with certain malware. It had no effect, and I have since returned the clock to the proper date.

Thanks for letting me know, that explains the odd date and time stamps in the log.

I have noticed at one point a sharp cutoff in redirects, and redirect attempts since working with you, with only perhaps two instances in the last couple days.

Good, that agrees with the logs that show TDSS was removed.

I was a bit surprised when running the TDSSkiller this last time as you instructed, to see no infection. I had run the program twice before engaging you, and both runs showed an infection (c:\windows\system32\drivers\atapi.sys infected by tdss rootkit) which said would be removed at next boot which were not.

I suspect TDSSKiller did fix it on the previous run.

If I have any instance of further redirect, I will post immediately.

OK I will keep the tread open for a few days to make sure the symptoms have gone.

It's my understanding this system has now been compromised and can no longer be trusted. Any thoughts on this?

Yes indeed, once a rootkit has been installed on a system then the only way to be sure that the system is clean is to reformat and reinstall the operating system.

At this stage I suggest we run a scan with Kaspersky and if that is clean then in the next post we can update some critical items on your computer and remove all the tools that have been installed.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

[mmmarty]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 21, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 20:27:33
Records in database: 3962586
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 47844
Threats found: 2
Infected objects found: 4
Suspicious objects found: 1
Scan duration: 02:11:41


File name / Threat / Threats count
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook\outlook.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

Selected area has been scanned.


One other note, which I don't know if related or not, but I felt worth mentioning. I repeatedly get an error message.

Warning: Unresponsive script
A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.
Script:http://Ajax.Googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js:19

[deltalima]

Hi mmmarty,

There are infected emails in your Outlook storage file. Please check though your emails to see if there are any emails with attachments and delete any attachments that you do not recognise and cannot trust.

Once this is done then please empty deleted items and then compact the file File - Data File Management - highlight file - Settings - Compact Now.

Next run another Kaspersky scan. This may need to be done several times until the infected email can be eliminated.

Next

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Now close all other open windows and then click on Fix Checked. Close HijackThis.


remove Macafee

There are remnants of McAfee still on the computer so run the McAfee Consumer Removal Tool (MCPR.EXE) to ensure successful removal of all McAfee references.

Download the removal tool from:

http://download.mcafee.com/products/lic ... s/MCPR.exe

• Click Save and save the file to any folder on your computer.
• Navigate to the folder where the file is saved.
• Make sure all McAfee windows are closed.
• Double-click MCPR.EXE to run the removal tool.
  
  • Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.
• Restart your computer after receiving the message CleanUp Successful.

remove Liveupdate

• Click Start, point to Settings, and then click Control Panel.
• In Control Panel, double-click Add or Remove Programs.
• In Add or Remove Programs,
  highlight LiveUpdate 3.0 (Symantec Corporation)
  click Remove
• Close the Add or Remove Programs and the Control Panel windows.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.

• Go HERE, UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
• After it completes the Installation, close the Download Manager.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 20.

• Download the latest version of Java Runtime Environment (JRE) 6 Here
• Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)"
• Click the orange Download JRE button to the right
• Select the Windows platform from the dropdown menu
• Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
• Click on the link to download Windows Offline Installation & save the file to your desktop
• Close any programs you may have running - especially your web browser
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions
• Reboot your computer once all Java components are removed
• Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version

Please let me know when the above is complete then we can remove the tools that have been installed.