View Full Version : Bad malware infection - redirects & blocked sites
Any help people can provide would be greatly appreciated... I've got a bad case of malware redirecting my browser and my usual programs aren't catching the problem.
The symptoms I'm having:
Pretty frequent redirection of my browser, especially from google searches.
Can't access safer-networking.org (server not found)
Can't access malwarebytes.org (server not found)
Spybot cannot update
Spyware Doctor cannot update (and won't run before it is updated)
Malware Bytes' Anti-Malware cannot update
I did try a few different programs before I found this site...
Avast Anti-Virus (my main anti-virus program)
Ad-Aware
safety.live.net (online scanner from Microsoft)
MalwareBytes' Anti-Malware (just installed)
And I just figured out how to get spybot installed (I de-selected the auto-update box in the installer) but it seems kind of silly to run it now :laugh:
So here's my HJT logfile... Thanks in advance for any help you can provide, I've never encountered anything quite this bad!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:54 PM, on 3/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {A6AABFB8-4CD4-493F-8314-E1B221A9AC3F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\TALON5-5NET\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "\\TALON5-5NET\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on TALON5-5NET] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P50 "Auto EPSON Stylus Photo R200 Series on TALON5-5NET" /O21 "\\TALON5-5NET\Printer" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{C65DCB00-EED0-48EF-AEFF-DC199C15A4BD}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: gmhnyf.dll
O20 - Winlogon Notify: qoMFwTLB - qoMFwTLB.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13986 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log
Yes!! I do still need help :)
Here's a fresh log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:28 PM, on 3/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {A6AABFB8-4CD4-493F-8314-E1B221A9AC3F} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [\\TALON5-5NET\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "\\TALON5-5NET\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on TALON5-5NET] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P50 "Auto EPSON Stylus Photo R200 Series on TALON5-5NET" /O21 "\\TALON5-5NET\Printer" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{C65DCB00-EED0-48EF-AEFF-DC199C15A4BD}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: gmhnyf.dll
O20 - Winlogon Notify: qoMFwTLB - qoMFwTLB.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 14189 bytes
Step # 1: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {A6AABFB8-4CD4-493F-8314-E1B221A9AC3F} - (no file)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{C65DCB00-EED0-48EF-AEFF-DC199C15A4BD}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A26078D-6777-4C38-8BF6-9B98DA3D1069}: NameServer = 93.188.165.104,93.188.166.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.104,93.188.166.46
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 2 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 3: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post.
Done! OK here are the logs (I wasn't sure if you meant to copy&paste the body of Attach.txt into the post or if you wanted me to zip and attach it as the file recommends... I erred on the side of caution and attached it. If I got that wrong please let me know).
DDS.txt
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ian Schmidt at 19:20:43.38 on Thu 03/18/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.139 [GMT -4:00]
AV: avast! antivirus 4.8.1368 [VPS 100318-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ian Schmidt\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uSearch Bar = hxxp://www.toshiba.com/search
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [\\TALON5-5NET\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "\\talon5-5net\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
mRun: [Auto EPSON Stylus Photo R200 Series on TALON5-5NET] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p50 "auto epson stylus photo r200 series on talon5-5net" /o21 "\\talon5-5net\Printer" /M "Stylus Photo R200"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth monitor\BtMon2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: qoMFwTLB - qoMFwTLB.dll
AppInit_DLLs: gmhnyf.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJAtUKC
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\iansch~1\applic~1\mozilla\firefox\profiles\oc2sujip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-15 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-10 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-16 114768]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2005-12-27 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-16 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-10 112592]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2005-12-27 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-17 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-16 254040]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-12-27 35968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-16 352920]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-10 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-10 1141712]
=============== Created Last 30 ================
2010-03-13 23:51:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 23:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 22:30:33 0 d-----w- c:\program files\Trend Micro
2010-03-13 00:43:03 0 d-----w- c:\docume~1\iansch~1\applic~1\Malwarebytes
2010-03-13 00:42:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 00:42:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-13 00:42:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 00:42:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 12:44:49 0 ----a-w- c:\windows\CeEKey.INI
2010-03-11 01:01:01 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-11 01:01:01 880 ----a-w- c:\windows\RegISSImport.xml
2010-03-11 01:01:01 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-11 01:01:01 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-11 01:01:01 131 ----a-w- c:\windows\IDB.zip
2010-03-11 01:01:00 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-11 01:01:00 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-03-11 01:01:00 1152444 ----a-w- c:\windows\UDB.zip
2010-03-11 01:00:35 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-11 01:00:35 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-11 01:00:08 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-11 01:00:08 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-11 01:00:08 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-11 01:00:08 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-11 00:59:40 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-11 00:59:40 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-11 00:59:11 0 d-----w- c:\program files\common files\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\program files\Spyware Doctor
2010-03-11 00:59:10 0 d-----w- c:\docume~1\iansch~1\applic~1\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-02 01:45:49 0 d-----w- c:\program files\CCleaner
==================== Find3M ====================
2010-02-04 01:05:37 28496 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-28 23:59:18 117655 ----a-w- c:\windows\hpoins11.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2008-08-28 07:06:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 19:21:53.74 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 19:55:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\IANSCH~1\LOCALS~1\Temp\pwriyfog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA6856B8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF8528E22]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF8509CDC]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF8509ECE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF8529610]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF85298C4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA68514C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF8527B14]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA68508C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA6850F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA68576E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8529D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA68572E]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF85290E2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF8509982]
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF855F780]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF7DD9EBF]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Documents and Settings\Ian Schmidt\Desktop\gmer.exe[144] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [39, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [30, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [18, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [21, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [2D, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [1B, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [33, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [2A, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [36, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[260] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [39, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [30, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [18, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [21, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [2D, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [1B, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [33, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [2A, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [36, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[388] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[512] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\WINDOWS\System32\alg.exe[512] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[512] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[512] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[512] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[512] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Apoint2K\Apoint.exe[660] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01010001
.text C:\Program Files\Apoint2K\Apoint.exe[660] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Apoint2K\Apoint.exe[660] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Apoint2K\Apoint.exe[660] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Apoint2K\Apoint.exe[660] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Apoint2K\Apoint.exe[660] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\spoolsv.exe[692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01530001
.text C:\Program Files\ltmoh\Ltmoh.exe[712] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\Program Files\ltmoh\Ltmoh.exe[712] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\ltmoh\Ltmoh.exe[712] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\ltmoh\Ltmoh.exe[712] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\ltmoh\Ltmoh.exe[712] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\ltmoh\Ltmoh.exe[712] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\AGRSMMSG.exe[720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EC0001
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\AGRSMMSG.exe[720] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01840001
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[728] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\TCtrlIOHook.exe[764] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DF0001
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[772] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe[844] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\ZoomingHook.exe[872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001
.text C:\WINDOWS\system32\ZoomingHook.exe[872] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ZoomingHook.exe[872] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ZoomingHook.exe[872] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ZoomingHook.exe[872] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\ZoomingHook.exe[872] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013B0001
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[884] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\csrss.exe[904] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A10001
.text C:\WINDOWS\system32\winlogon.exe[928] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C60001
.text C:\WINDOWS\system32\services.exe[972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01130001
.text C:\WINDOWS\system32\lsass.exe[984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01370001
.text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FF0001
.text ...
.text C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[1212] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[1212] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[1212] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[1212] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe[1212] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01260001
.text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01C60001
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CC0001
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TouchPad\TPTray.exe[1312] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\igfxtray.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01000001
.text C:\WINDOWS\system32\igfxtray.exe[1420] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\igfxtray.exe[1420] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\igfxtray.exe[1420] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\igfxtray.exe[1420] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\igfxtray.exe[1420] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00950001
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\toshiba\ivp\ism\ivpsvmgr.exe[1440] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D60001
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe[1472] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\igfxpers.exe[1488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013F0001
.text C:\WINDOWS\system32\igfxpers.exe[1488] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\igfxpers.exe[1488] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1488] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\igfxpers.exe[1488] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\igfxpers.exe[1488] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C10001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[1632] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001
.text C:\WINDOWS\system32\hkcmd.exe[1752] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01380001
.text C:\WINDOWS\system32\hkcmd.exe[1752] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\hkcmd.exe[1752] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\hkcmd.exe[1752] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\hkcmd.exe[1752] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\hkcmd.exe[1752] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\Explorer.EXE[1772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01660001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1900] kernel32.dll!LoadLibraryExW + C4 7C801BB9 2 Bytes CALL 00810001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1900] kernel32.dll!LoadLibraryExW + C7 7C801BBC 1 Byte [84]
.text C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01350001
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[2208] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 022D0001
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Protector Suite QL\psqltray.exe[2304] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2320] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 0A8A0001
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[2400] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\Apoint2K\Apntex.exe[2424] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D10001
.text C:\Program Files\Apoint2K\Apntex.exe[2424] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Apoint2K\Apntex.exe[2424] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Apoint2K\Apntex.exe[2424] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Apoint2K\Apntex.exe[2424] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Apoint2K\Apntex.exe[2424] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C40001
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe[2468] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\ctfmon.exe[2496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D20001
.text C:\WINDOWS\system32\ctfmon.exe[2496] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\ctfmon.exe[2496] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2496] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2496] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2496] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2592] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00930001
.text C:\Program Files\DNA\btdna.exe[2604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CB0001
.text C:\Program Files\DNA\btdna.exe[2604] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\DNA\btdna.exe[2604] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\DNA\btdna.exe[2604] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\DNA\btdna.exe[2604] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\DNA\btdna.exe[2604] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2632] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\DVDRAMSV.exe[2672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CC0001
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe[2848] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00880001
.text C:\Program Files\iPod\bin\iPodService.exe[2940] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2940] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2940] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iPod\bin\iPodService.exe[2940] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\Program Files\iPod\bin\iPodService.exe[2940] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2956] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01420001
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3028] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01860001
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe[3188] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\System32\svchost.exe[3200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\WINDOWS\System32\svchost.exe[3200] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[3200] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[3200] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3200] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[3200] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\RAMASST.exe[3264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E20001
.text C:\WINDOWS\system32\RAMASST.exe[3264] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\WINDOWS\system32\RAMASST.exe[3264] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\RAMASST.exe[3264] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\RAMASST.exe[3264] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\WINDOWS\system32\RAMASST.exe[3264] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018C0001
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE[3512] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3684] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\WINDOWS\system32\svchost.exe[3760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E70001
.text c:\TOSHIBA\IVP\swupdate\swupdtmr.exe[3872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D80001
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[3900] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CA0001
.text C:\WINDOWS\system32\wdfmgr.exe[3968] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00670001
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F350F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [33, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[4032] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F380F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[4076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00900001
.text C:\WINDOWS\system32\HPZipm12.exe[4360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00800001
.text C:\WINDOWS\system32\HPZipm12.exe[4360] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\HPZipm12.exe[4360] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\HPZipm12.exe[4360] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\HPZipm12.exe[4360] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\HPZipm12.exe[4360] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F100F5A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[972] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[972] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\atapi \Device\Ide\IdePort0 [F8552B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8552B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F8552B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F8552B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A86CBD20
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
(I wasn't sure if you meant to copy&paste the body of Attach.txt into the post or if you wanted me to zip and attach it as the file recommends... I erred on the side of caution and attached it. If I got that wrong please let me know).
From now on just post all the logs normally that I ask for, only attach them if specifically requested to do so. :)
Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.
* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings.
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
Well I can access safer-networking.org and malwarebytes.org now, and the re-directs look like they may have gone away as well...
Here's the ComboFix log
ComboFix 10-03-19.08 - Ian Schmidt 03/20/2010 11:05:04.1.1 - x86
Running from: c:\documents and settings\Ian Schmidt\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100320-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1349113842-1005841170-4024080710-500
c:\windows\system32\Thumbs.db
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.
2010-03-19 01:30 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 23:51 . 2010-03-14 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 23:51 . 2010-03-13 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 22:30 . 2010-03-13 22:30 -------- d-----w- c:\program files\Trend Micro
2010-03-13 22:21 . 2010-03-13 22:21 -------- d-----w- c:\program files\ERUNT
2010-03-13 22:15 . 2010-03-13 22:15 -------- d-----w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\Threat Expert
2010-03-13 01:55 . 2010-03-13 01:59 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-13 00:43 . 2010-03-13 00:43 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\Malwarebytes
2010-03-13 00:42 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 00:42 . 2010-03-13 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 00:42 . 2010-03-13 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 00:42 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 01:01 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-11 01:01 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-11 01:01 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-11 01:01 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-11 01:01 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-11 01:01 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-11 01:00 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-11 01:00 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-11 01:00 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-11 00:59 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-11 00:59 . 2010-03-11 01:01 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-11 00:59 . 2010-03-13 11:54 -------- d-----w- c:\program files\Spyware Doctor
2010-03-11 00:59 . 2010-03-11 00:59 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\PC Tools
2010-03-11 00:59 . 2010-03-11 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-11 00:58 . 2010-03-20 15:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 01:45 . 2010-03-02 01:45 -------- d-----w- c:\program files\CCleaner
2010-02-25 05:52 . 2010-03-18 08:57 -------- d-----w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 15:20 . 2008-09-14 03:55 -------- d-----w- c:\program files\DNA
2010-03-20 15:20 . 2008-09-14 03:55 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\DNA
2010-03-14 01:56 . 2008-08-30 13:53 -------- d-----w- c:\program files\eMule
2010-03-02 03:26 . 2009-06-22 02:26 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-02 03:26 . 2009-06-22 02:26 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-02-06 15:13 . 2010-02-06 15:11 -------- d-----w- c:\program files\iTunes
2010-02-06 15:12 . 2010-02-06 15:12 -------- d-----w- c:\program files\iPod
2010-02-06 15:12 . 2008-09-21 18:30 -------- d-----w- c:\program files\Common Files\Apple
2010-02-06 15:02 . 2010-02-06 15:02 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-04 01:05 . 2010-01-27 01:43 28496 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-30 17:47 . 2005-12-27 17:33 -------- d-----w- c:\program files\Google
2010-01-30 17:16 . 2010-01-30 17:16 -------- d-----w- c:\program files\MSXML 4.0
2010-01-28 23:59 . 2010-01-28 23:58 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\HP
2010-01-28 23:59 . 2010-01-28 23:31 117655 ----a-w- c:\windows\hpoins11.dat
2010-01-28 23:58 . 2010-01-28 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-28 23:57 . 2010-01-28 23:56 -------- d-----w- c:\program files\Common Files\HP
2010-01-28 23:57 . 2008-11-11 02:40 -------- d-----w- c:\program files\HP
2010-01-28 23:54 . 2010-01-28 23:53 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-28 23:31 . 2008-07-09 02:50 29048 ----a-w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-28 01:20 . 2010-01-28 01:19 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-01-23 21:30 . 2010-01-23 21:29 -------- d-----w- c:\program files\QuickTime
2010-01-23 20:52 . 2010-01-23 20:51 -------- d-----w- c:\program files\Safari
2010-01-23 20:49 . 2010-01-23 20:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-05 10:00 . 2005-12-27 04:23 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-12-27 04:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-12-27 04:22 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-12-27 04:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 18:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 18:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-14 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-01-18 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-03-18 81920]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 28672]
"TFncKy"="TFncKy.exe" [BU]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-14 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-11-06 49168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"\\TALON5-5NET\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Auto EPSON Stylus Photo R200 Series on TALON5-5NET"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
c:\documents and settings\Ian Schmidt\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2008-7-8 65536]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-12-27 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-27 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 18:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/15/2009 11:24 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/10/2010 9:00 PM 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/16/2009 9:17 AM 114768]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [12/27/2005 1:21 PM 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/16/2009 9:17 AM 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/10/2010 9:01 PM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [12/27/2005 1:21 PM 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/17/2009 12:28 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/27/2005 8:29 PM 35968]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 1:47 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/10/2010 8:59 PM 365280]
.
Contents of the 'Scheduled Tasks' folder
2010-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:25]
2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:47]
2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:47]
2005-10-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
2005-10-25 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
2005-10-25 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Ian Schmidt\Application Data\Mozilla\Firefox\Profiles\oc2sujip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -
Notify-qoMFwTLB - qoMFwTLB.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 11:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\HPZipm12.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TCtrlIOHook.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\windows\system32\ZoomingHook.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\toshiba\ivp\ism\ivpsvmgr.exe
.
**************************************************************************
.
Completion time: 2010-03-20 11:29:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 15:29
Pre-Run: 33,633,284,096 bytes free
Post-Run: 33,831,186,432 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - EA7B440CA7C498B7A5FC6567907EEC12
Well I can access safer-networking.org and malwarebytes.org now, and the re-directs look like they may have gone away as well...
That's good news. :)
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
BitTorrent
DNA
eMule
I'd like you to read the Guidelines for P2P Programs (http://spywarewarrior.com/viewtopic.php?t=26216) where we explain why it's not a good idea to have them.
Also available here (http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394).
My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Step # 1: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
Folder::
c:\program files\DNA
c:\documents and settings\Ian Schmidt\Application Data\DNA
c:\program files\eMule
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on monstar's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
I'd uninstalled eMule and BitTorrent a few days ago... They weren't in my add/remove programs list. I did remove the DNA program (don't remember installing it :confused: )
After I dragged CFScript onto the combofix icon, ComboFix requested to update itself to the new version, I let it go ahead. Here's the new ComboFix log:
ComboFix 10-03-20.06 - Ian Schmidt 03/21/2010 12:23:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.242 [GMT -4:00]
Running from: c:\documents and settings\Ian Schmidt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ian Schmidt\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100321-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\DNA
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\eMule
c:\program files\eMule\Temp\005.part
c:\program files\eMule\Temp\005.part.met
c:\program files\eMule\Temp\005.part.met.bak
c:\program files\eMule\Temp\006.part
c:\program files\eMule\Temp\006.part.met
c:\program files\eMule\Temp\006.part.met.bak
.
((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.
2010-03-19 01:30 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 23:51 . 2010-03-14 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-13 23:51 . 2010-03-13 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 22:30 . 2010-03-13 22:30 -------- d-----w- c:\program files\Trend Micro
2010-03-13 22:21 . 2010-03-13 22:21 -------- d-----w- c:\program files\ERUNT
2010-03-13 22:15 . 2010-03-13 22:15 -------- d-----w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\Threat Expert
2010-03-13 01:55 . 2010-03-13 01:59 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-13 00:43 . 2010-03-13 00:43 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\Malwarebytes
2010-03-13 00:42 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 00:42 . 2010-03-13 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-13 00:42 . 2010-03-13 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 00:42 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 01:01 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-11 01:01 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-11 01:01 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-03-11 01:01 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-11 01:01 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-11 01:01 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-11 01:00 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-11 01:00 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-11 01:00 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-11 00:59 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-11 00:59 . 2010-03-11 01:01 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-11 00:59 . 2010-03-13 11:54 -------- d-----w- c:\program files\Spyware Doctor
2010-03-11 00:59 . 2010-03-11 00:59 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\PC Tools
2010-03-11 00:59 . 2010-03-11 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-11 00:58 . 2010-03-21 16:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 01:45 . 2010-03-02 01:45 -------- d-----w- c:\program files\CCleaner
2010-02-25 05:52 . 2010-03-18 08:57 -------- d-----w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 15:13 . 2010-02-06 15:11 -------- d-----w- c:\program files\iTunes
2010-02-06 15:12 . 2010-02-06 15:12 -------- d-----w- c:\program files\iPod
2010-02-06 15:12 . 2008-09-21 18:30 -------- d-----w- c:\program files\Common Files\Apple
2010-02-04 01:05 . 2010-01-27 01:43 28496 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-30 17:47 . 2005-12-27 17:33 -------- d-----w- c:\program files\Google
2010-01-30 17:16 . 2010-01-30 17:16 -------- d-----w- c:\program files\MSXML 4.0
2010-01-28 23:59 . 2010-01-28 23:58 -------- d-----w- c:\documents and settings\Ian Schmidt\Application Data\HP
2010-01-28 23:59 . 2010-01-28 23:31 117655 ----a-w- c:\windows\hpoins11.dat
2010-01-28 23:58 . 2010-01-28 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-28 23:57 . 2010-01-28 23:56 -------- d-----w- c:\program files\Common Files\HP
2010-01-28 23:57 . 2008-11-11 02:40 -------- d-----w- c:\program files\HP
2010-01-28 23:54 . 2010-01-28 23:53 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-28 23:31 . 2008-07-09 02:50 29048 ----a-w- c:\documents and settings\Ian Schmidt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-28 01:20 . 2010-01-28 01:19 -------- d-----w- c:\program files\Microsoft IntelliPoint
2010-01-23 21:30 . 2010-01-23 21:29 -------- d-----w- c:\program files\QuickTime
2010-01-23 20:52 . 2010-01-23 20:51 -------- d-----w- c:\program files\Safari
2010-01-05 10:00 . 2005-12-27 04:23 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-12-27 04:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-12-27 04:22 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-12-27 04:23 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 18:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 18:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-01-18 126976]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-03-18 81920]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe"
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-05 28672]
"TFncKy"="TFncKy.exe" [BU]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"ZoomingHook"="ZoomingHook.exe" [2005-06-06 24576]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-14 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-01 671744]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-11-06 49168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"\\TALON5-5NET\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Auto EPSON Stylus Photo R200 Series on TALON5-5NET"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-02 524632]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
c:\documents and settings\Ian Schmidt\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Bluetooth Monitor.lnk - c:\program files\TOSHIBA\Bluetooth Monitor\BtMon2.exe [2008-7-8 65536]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Metamail Trust Manager.lnk - c:\program files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2005-12-27 329472]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-27 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 18:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/15/2009 11:24 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/10/2010 9:00 PM 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/16/2009 9:17 AM 114768]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [12/27/2005 1:21 PM 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/16/2009 9:17 AM 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/10/2010 9:01 PM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [12/27/2005 1:21 PM 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/17/2009 12:28 PM 24652]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/27/2005 8:29 PM 35968]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 1:47 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/10/2010 8:59 PM 365280]
.
Contents of the 'Scheduled Tasks' folder
2010-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 03:25]
2010-03-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:47]
2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:47]
2005-10-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
2005-10-25 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
2005-10-25 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-12-27 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Ian Schmidt\Application Data\Mozilla\Firefox\Profiles\oc2sujip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 12:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\Protector Suite QL\biokmd.dll
- - - - - - - > 'lsass.exe'(992)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
- - - - - - - > 'explorer.exe'(3184)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\AGRSMMSG.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TCtrlIOHook.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\TME3\TMEEJME.EXE
c:\windows\system32\ZoomingHook.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\progra~1\METAMA~1\METAMA~1\METAMA~2.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\toshiba\ivp\ism\ivpsvmgr.exe
.
**************************************************************************
.
Completion time: 2010-03-21 12:46:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-21 16:46
ComboFix2.txt 2010-03-20 15:29
Pre-Run: 33,837,023,232 bytes free
Post-Run: 33,760,948,224 bytes free
- - End Of File - - 992978BA908FEC12E2D77AB57D4641C9
[B]Here is DDS.txt
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ian Schmidt at 12:49:32.00 on Sun 03/21/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.130 [GMT -4:00]
AV: avast! antivirus 4.8.1368 [VPS 100321-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ian Schmidt\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [\\TALON5-5NET\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "\\talon5-5net\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
mRun: [Auto EPSON Stylus Photo R200 Series on TALON5-5NET] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p50 "auto epson stylus photo r200 series on talon5-5net" /o21 "\\talon5-5net\Printer" /M "Stylus Photo R200"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth monitor\BtMon2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\iansch~1\applic~1\mozilla\firefox\profiles\oc2sujip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-15 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-10 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-16 114768]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2005-12-27 5888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-16 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-10 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2005-12-27 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-17 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-16 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-12-27 35968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-10 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-10 1141712]
=============== Created Last 30 ================
2010-03-20 14:55:35 0 d-sha-r- C:\cmdcons
2010-03-20 14:53:08 98816 ----a-w- c:\windows\sed.exe
2010-03-20 14:53:08 77312 ----a-w- c:\windows\MBR.exe
2010-03-20 14:53:08 261632 ----a-w- c:\windows\PEV.exe
2010-03-20 14:53:08 161792 ----a-w- c:\windows\SWREG.exe
2010-03-19 01:30:32 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 23:51:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 23:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 22:30:33 0 d-----w- c:\program files\Trend Micro
2010-03-13 00:43:03 0 d-----w- c:\docume~1\iansch~1\applic~1\Malwarebytes
2010-03-13 00:42:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 00:42:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-13 00:42:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 00:42:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 12:44:49 0 ----a-w- c:\windows\CeEKey.INI
2010-03-11 01:01:01 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-11 01:01:01 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-11 01:01:01 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-03-11 01:01:01 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-11 01:01:01 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-11 01:01:01 131 ----a-w- c:\windows\IDB.zip
2010-03-11 01:01:00 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-11 01:01:00 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-11 01:01:00 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-03-11 01:01:00 1152444 ----a-w- c:\windows\UDB.zip
2010-03-11 01:00:35 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-11 01:00:35 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-11 01:00:08 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-11 01:00:08 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-11 01:00:08 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-11 01:00:08 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-11 00:59:40 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-11 00:59:40 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-11 00:59:11 0 d-----w- c:\program files\common files\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\program files\Spyware Doctor
2010-03-11 00:59:10 0 d-----w- c:\docume~1\iansch~1\applic~1\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-02 01:45:49 0 d-----w- c:\program files\CCleaner
==================== Find3M ====================
2010-02-04 01:05:37 28496 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-28 23:59:18 117655 ----a-w- c:\windows\hpoins11.dat
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2008-08-28 07:06:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 12:49:57.78 ===============
Post to see second page, please ignore.
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u18 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 4
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 3 Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
Post the MalwareBytes' Log in your next post/reply.
The malwarebytes log looks promising! :laugh:
Malwarebytes' Anti-Malware 1.44
Database version: 3902
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/22/2010 9:24:32 PM
mbam-log-2010-03-22 (21-24-32).txt
Scan type: Quick Scan
Objects scanned: 125671
Time elapsed: 6 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step # 1 Update Adobe Acrobat Reader
There is a newer version of Adobe Acrobat Reader available. (See Note below)
First, go to Add/Remove Programs and uninstall Adobe Reader 7.1.0.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Note: Adobe 9.3.1 is a large program and if you prefer a smaller program you can get Foxit 3.2.0 instead from http://www.foxitsoftware.com/downloads/index.php
If you decide to install Foxit 3.2.0 instead of Adobe, do the following during Foxit's Setup/Installation process:
Uncheck the following boxes:
I accept the License Terms and want to install Foxit Toolbar
Make Ask.com my default search
Create desktop, quick launch and start menu icon to eBay
Step # 2: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
Well the Kaspersky scan got to the 25% point and then stalled out :slap:
There was a note at the bottom of the screen saying that I should turn off all anti-virus scanners and then try to run the Kaspersky scan again. I turned off Avast before I started the scan so I don't know what its talking about... I'll try to run the scan again when I have a chance
If Kaspersky stalls/fails on you again let me know and I'll have you use another online scanner in its place.
Kaspersky has failed again, can we try another program?
Let's try this one:
I'd like us to scan your machine with ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan) Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. Accept any security warnings from your browser. Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png Push the Start button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Make sure that Remove found threats is unchecked
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
This is the full log I got back:
C:\System Volume Information\_restore{B23010C4-2A6E-4DDE-90C8-631B47A3E4C5}\RP565\A0076687.sys Win32/Olmarik.TM trojan cleaned - quarantined
What ESET found and quarantined was an infected System Restore point. Infected System Restore points are harmless where they are. I'll show you how to remove them (if you have any more) and set a new, clean restore point in an upcoming post.
I need to see a fresh DDS Log and let me know how your computer is doing.
My computer has been running okay speed-wise. I haven't been noticing any problems either.
Here's the DDS log
DDS.txt
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ian Schmidt at 18:10:38.96 on Mon 03/29/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.88 [GMT -4:00]
AV: avast! antivirus 4.8.1368 [VPS 100329-2] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ian Schmidt\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://today.ask.com/foxit?o=101706&l=dis
uInternet Settings,ProxyOverride = *.local
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [TFncKy] TFncKy.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPNF] c:\program files\toshiba\touchpad\TPTray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [CeEKEY] c:\program files\toshiba\e-key\CeEKey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [\\TALON5-5NET\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "\\talon5-5net\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
mRun: [Auto EPSON Stylus Photo R200 Series on TALON5-5NET] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p50 "auto epson stylus photo r200 series on talon5-5net" /o21 "\\talon5-5net\Printer" /M "Stylus Photo R200"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\iansch~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth monitor\BtMon2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\metama~1.lnk - c:\program files\metamail inc\metamail tray\Metamail Trust Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\iansch~1\applic~1\mozilla\firefox\profiles\oc2sujip.default\
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-15 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-10 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-16 114768]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2005-12-27 5888]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2010-3-26 15488]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-16 138680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-10 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2005-12-27 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-17 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-16 352920]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-12-27 35968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-10 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-10 1141712]
=============== Created Last 30 ================
2010-03-29 00:43:54 0 d-----w- c:\program files\ESET
2010-03-27 05:43:37 0 d-----w- c:\program files\ZYX
2010-03-26 22:23:43 0 d-----w- c:\program files\VMLaunch
2010-03-23 22:42:08 0 d-----w- c:\docume~1\iansch~1\applic~1\Foxit
2010-03-23 22:41:45 0 d-----w- c:\program files\Foxit Software
2010-03-23 00:38:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-23 00:38:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-20 14:55:35 0 d-sha-r- C:\cmdcons
2010-03-20 14:53:08 98816 ----a-w- c:\windows\sed.exe
2010-03-20 14:53:08 77312 ----a-w- c:\windows\MBR.exe
2010-03-20 14:53:08 261632 ----a-w- c:\windows\PEV.exe
2010-03-20 14:53:08 161792 ----a-w- c:\windows\SWREG.exe
2010-03-19 01:30:32 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-13 23:51:20 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 23:51:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 22:30:33 0 d-----w- c:\program files\Trend Micro
2010-03-13 00:43:03 0 d-----w- c:\docume~1\iansch~1\applic~1\Malwarebytes
2010-03-13 00:42:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-13 00:42:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-13 00:42:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 00:42:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-11 12:44:49 0 ----a-w- c:\windows\CeEKey.INI
2010-03-11 01:01:01 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-11 01:01:01 879 ----a-w- c:\windows\RegISSImport.xml
2010-03-11 01:01:01 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-03-11 01:01:01 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-11 01:01:01 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-11 01:01:01 131 ----a-w- c:\windows\IDB.zip
2010-03-11 01:01:00 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-11 01:01:00 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-11 01:01:00 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-03-11 01:01:00 1152444 ----a-w- c:\windows\UDB.zip
2010-03-11 01:00:35 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-11 01:00:35 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-11 01:00:08 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-11 01:00:08 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-11 01:00:08 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-11 01:00:08 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-11 00:59:40 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-03-11 00:59:40 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-11 00:59:11 0 d-----w- c:\program files\common files\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\program files\Spyware Doctor
2010-03-11 00:59:10 0 d-----w- c:\docume~1\iansch~1\applic~1\PC Tools
2010-03-11 00:59:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-02 01:45:49 0 d-----w- c:\program files\CCleaner
==================== Find3M ====================
2010-02-04 01:05:37 28496 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-28 23:59:18 117655 ----a-w- c:\windows\hpoins11.dat
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2008-08-28 07:06:37 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat
============= FINISH: 18:11:27.57 ===============
Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/25/2005 11:06:34 AM
System Uptime: 3/29/2010 4:20:50 PM (2 hours ago)
Motherboard: TOSHIBA | | HAQAA
Processor: Genuine Intel(R) CPU T1300 @ 1.66GHz | U2E1 | 1662/mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 52 GiB total, 28.989 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description:
Device ID: ACPI\TOS620A\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS620A\2&DABA3FF&0
Service:
==== System Restore Points ===================
RP496: 12/29/2009 11:43:45 PM - System Checkpoint
RP497: 12/30/2009 11:57:47 PM - System Checkpoint
RP498: 1/1/2010 12:32:30 AM - System Checkpoint
RP499: 1/2/2010 1:32:34 AM - System Checkpoint
RP500: 1/3/2010 2:32:34 AM - System Checkpoint
RP501: 1/4/2010 3:32:34 AM - System Checkpoint
RP502: 1/5/2010 3:56:16 AM - System Checkpoint
RP503: 1/6/2010 4:44:31 AM - System Checkpoint
RP504: 1/7/2010 5:44:32 AM - System Checkpoint
RP505: 1/8/2010 6:44:30 AM - System Checkpoint
RP506: 1/9/2010 7:44:30 AM - System Checkpoint
RP507: 1/10/2010 3:23:31 PM - System Checkpoint
RP508: 1/15/2010 7:59:43 PM - System Checkpoint
RP509: 1/19/2010 5:25:05 PM - System Checkpoint
RP510: 1/20/2010 7:16:32 PM - System Checkpoint
RP511: 1/21/2010 9:20:30 AM - Software Distribution Service 3.0
RP512: 1/23/2010 2:15:07 PM - Software Distribution Service 3.0
RP513: 1/23/2010 4:22:52 PM - Removed QuickTime
RP514: 1/23/2010 4:29:46 PM - Installed QuickTime
RP515: 1/24/2010 7:12:09 PM - System Checkpoint
RP516: 1/25/2010 9:02:47 PM - System Checkpoint
RP517: 1/26/2010 9:09:05 PM - System Checkpoint
RP518: 1/27/2010 11:59:44 PM - System Checkpoint
RP519: 1/28/2010 6:54:12 PM - Installed HPSU306Stub
RP520: 1/29/2010 11:33:10 PM - System Checkpoint
RP521: 1/30/2010 12:16:30 PM - Software Distribution Service 3.0
RP522: 1/31/2010 10:43:40 AM - Software Distribution Service 3.0
RP523: 2/1/2010 8:25:03 PM - System Checkpoint
RP524: 2/2/2010 10:20:33 PM - System Checkpoint
RP525: 2/4/2010 12:31:05 AM - System Checkpoint
RP526: 2/5/2010 7:10:51 AM - System Checkpoint
RP527: 2/6/2010 10:30:32 AM - System Checkpoint
RP528: 2/7/2010 1:11:37 PM - System Checkpoint
RP529: 2/8/2010 2:00:50 PM - System Checkpoint
RP530: 2/9/2010 3:00:53 PM - System Checkpoint
RP531: 2/10/2010 3:00:23 AM - Software Distribution Service 3.0
RP532: 2/11/2010 7:58:58 PM - System Checkpoint
RP533: 2/12/2010 10:24:35 PM - System Checkpoint
RP534: 2/14/2010 9:29:19 AM - System Checkpoint
RP535: 2/15/2010 11:23:24 AM - System Checkpoint
RP536: 2/16/2010 11:57:14 AM - System Checkpoint
RP537: 2/17/2010 12:56:52 PM - System Checkpoint
RP538: 2/18/2010 6:53:40 PM - System Checkpoint
RP539: 2/19/2010 6:59:09 PM - System Checkpoint
RP540: 2/20/2010 7:58:55 PM - System Checkpoint
RP541: 2/21/2010 8:28:51 PM - System Checkpoint
RP542: 2/22/2010 10:28:35 PM - System Checkpoint
RP543: 2/23/2010 11:22:50 PM - System Checkpoint
RP544: 2/24/2010 3:00:15 AM - Software Distribution Service 3.0
RP545: 2/25/2010 3:02:53 AM - System Checkpoint
RP546: 2/26/2010 4:02:56 AM - System Checkpoint
RP547: 2/27/2010 4:59:47 AM - System Checkpoint
RP548: 2/28/2010 5:45:45 AM - System Checkpoint
RP549: 3/1/2010 6:50:40 AM - System Checkpoint
RP550: 3/2/2010 7:07:27 PM - System Checkpoint
RP551: 3/3/2010 7:21:45 PM - System Checkpoint
RP552: 3/4/2010 9:07:32 PM - System Checkpoint
RP553: 3/5/2010 10:15:47 PM - System Checkpoint
RP554: 3/6/2010 11:13:46 PM - System Checkpoint
RP555: 3/8/2010 6:02:53 PM - System Checkpoint
RP556: 3/9/2010 6:49:06 PM - System Checkpoint
RP557: 3/10/2010 8:34:19 PM - System Checkpoint
RP558: 3/11/2010 8:43:02 PM - System Checkpoint
RP559: 3/12/2010 11:29:10 PM - System Checkpoint
RP560: 3/14/2010 12:58:32 AM - System Checkpoint
RP561: 3/15/2010 1:55:59 AM - System Checkpoint
RP562: 3/16/2010 2:55:58 AM - System Checkpoint
RP563: 3/17/2010 3:56:00 AM - System Checkpoint
RP564: 3/18/2010 4:55:51 AM - System Checkpoint
RP565: 3/19/2010 10:10:05 PM - Software Distribution Service 3.0
RP566: 3/21/2010 1:19:53 PM - System Checkpoint
RP567: 3/22/2010 2:13:43 PM - System Checkpoint
RP568: 3/22/2010 8:27:16 PM - Removed J2SE Runtime Environment 5.0 Update 4
RP569: 3/22/2010 8:37:25 PM - Installed Java(TM) 6 Update 18
RP570: 3/23/2010 6:22:56 PM - Removed Adobe Reader 7.1.0
RP571: 3/24/2010 7:32:53 PM - System Checkpoint
RP572: 3/25/2010 8:15:43 PM - System Checkpoint
RP573: 3/26/2010 9:11:37 PM - System Checkpoint
RP574: 3/28/2010 12:38:34 AM - System Checkpoint
RP575: 3/29/2010 7:33:47 AM - System Checkpoint
==== Installed Programs ======================
AC3File (remove only)
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AIM 6
AiOSoftwareNPI
ALPS Touch Pad Driver
AOL Coach Version 2.0(Build:20041026.5 en)
AOL You've Got Pictures Screensaver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
avast! Antivirus
Bluetooth Monitor 2
Bluetooth Stack for Windows by Toshiba
Bonjour
Browser Defender 2.0.6.15
BufferChm
CCleaner
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
DeductionPro 2008
Delete The Sagara Family - Download Edition
Delete Virtual-Mate Launcher
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocProcQFolder
DVD-RAM Driver
ERUNT 1.1j
ESET Online Scanner v3
eSupportQFolder
F300
F300_Help
Fax_CDA
Foxit Reader
Google Toolbar for Internet Explorer
Google Update Helper
Hard Disk Recovery Utilities
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 18
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Metamail (Toshiba Registration Utility)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyConnect Special Offer
NewCopy_CDA
OCR Software by I.R.I.S 7.0
ProductContextNPI
Protector Suite QL 5.6
QFolder
QuickTime
Readme
Realtek High Definition Audio Driver
Safari
Scan
ScannerCopy
SD Secure Module
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sid Meier's Civilization 4 Gold
Skype™ 3.8
SMSC IrCC V5.1.3600.5 SP2
SolutionCenter
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Spyware Doctor 7.0
Status
TaxCut Basic + Efile 2008
TaxCut New Jersey 2008
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA Mobile Extension3 for Windows XP V3.79.00.XP.C
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
TrayApp
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Utility Common Driver
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows SD Host Controller Driver
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.1.3 final uninstall
Yahoo! Music Engine
==== Event Viewer Messages From Past Week ========
3/23/2010 6:37:13 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).
3/23/2010 6:35:17 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the avast! Web Scanner service to connect.
3/23/2010 6:35:17 PM, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
==== End Of File ===========================
Good to hear that the computer is not experiencing any problems. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
To remove ComboFix from your computer, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
km,
Thank you so much for all your help! I've read through your last message and I'll take the time to complete as many of the steps as I can
Have a great day!
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!