PDA

View Full Version : Browser hijack stopping update/access to Spybot



sassenach
2010-03-29, 17:20
I am having trouble with my second laptop when I try to access websites such as safer-networking.org or Malwarebytes.org. Browser works fine in other respects. Also won't update Windows or ESET.

I have run both Spybot (after saving to pen drive and running on the laptop) and Malwarebytes and also used ESET smart security to scan.

Ran these under safe mode, bit still no joy.

OS is Vista Premium SP2

Teatimer has been turned off and I have an ERUNT reg back up.

HJT logfile is below.

Thank you in advance.

_________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02:45, on 29/03/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\Speech\Common\sapisvr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Michael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Toshiba TEMPRO] C:\Program Files\Toshiba TEMPRO\TemproTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\Users\Michael\AppData\Local\Temp\Lvh.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51585390-698E-4A6D-8767-8E94DAE206B3}: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{87AA56ED-A143-48F5-91CC-8BF49C8C7720}: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11719 bytes
___________________________________________________

sassenach
2010-03-31, 11:59
Following other advice on the forum, I have deleted the following entries below and updating is now possible. However malwarebytes is constantly showing alerts that it is blocking malicious IP addresses. Therefore there is still something left to remove:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{51585390-698E-4A6D-8767-8E94DAE206B3}: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{87AA56ED-A143-48F5-91CC-8BF49C8C7720}: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77

Cypher
2010-04-02, 14:02
Hi and welcome to SNF, sorry for the delay the forum is really busy.
My name is Cypher, and I will be helping you with your malware problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Read Back up your files (http://windows.microsoft.com/en-us/windows7/Back-up-your-files)

please note the following important guidelines.

The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions... if possible...your Internet connection might not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
The logs from the tools we use can take some time to research so please be patient.


If you haven't done so already, please read this topic READ this Procedure BEFORE Requesting Assistance (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.


Please do not make any more changes to your system unless i tell you to do so.


Post a New HJT Log

Start HijackThis.
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
When completed...Notepad will open with the new "hijackthis.log" file contents.
Copy/paste the entire (hijackthis.log) file contents in your next reply.

Next.

Please post an Uninstall list.

Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.

Logs/Information to Post in your Next Reply


HijackThis log.
Uninstall list.
Please give me an update on your computers performance.

sassenach
2010-04-04, 14:00
Happy Easter Cypher and thanks for taking the time to help me.

Browser is not hijacking the spybot, malwarebytes, ESet, or Windows update pages anymore since i removed the entries that I posted in my second post.
However Malwarebytes is continually blocking malicious websites using the IP protection scanner.
New logs are as follows, and I have created a backup as advised (and I have previously done an ERUNT backup)...
_______________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:50, on 04/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Michael\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Toshiba TEMPRO] C:\Program Files\Toshiba TEMPRO\TemproTray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10505 bytes
____________________________________________________________
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Camera Assistant Software for Toshiba
Canon MP620 series User Registration
Catalyst Control Center - Branding
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
DVD MovieFactory for TOSHIBA
ERUNT 1.1j
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Inkjet Printer/Scanner Extended Survey Program
Java(TM) 6 Update 3
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0 Runtime
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
Realtek USB 2.0 Card Reader
Realtek WiFi Protected Setup Library
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Media Encoder (KB954156)
Spotify
Spybot - Search & Destroy
SUPERAntiSpyware Professional
Synaptics Pointing Device Driver
System Requirements Lab
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA Recovery Disc Creator
TOSHIBA Software Modem
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
TRDCReminder
TRORDCLauncher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series

___________________________________________________________
:thanks:

Cypher
2010-04-04, 14:32
Hi sassenach.

Happy Easter Cypher and thanks for taking the time to help me
Happy Easter to you also and your most welcome.
Ok lets get a few scans done, please continue with the instructions below.


Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
The Operating System(Vista aka Windows 6) in use comes with a inbuilt utility called User Access Control(UAC).
When prompted by this with anything I ask you to do carry out please select the option Allow.



Malwarebytes Anti-Malware:


Launch the application, Check for Updates >> Perform Quick Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Next.

Please download GMER Rootkit Scanner from Here (http://www.gmer.net/download.php).
Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.



Next.

RSIT (Random's System Information Tool)

Please download RSIT (http://images.malwareremoval.com/random/RSIT.exe) by random/random... and save it to your desktop.

Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)



Logs/Information to Post in your Next Reply


Malwarebytes log.
Gmer.txt log.
RSIT log.txt file contents and info.txt file contents.
Please give me an update on your computers performance.

sassenach
2010-04-04, 16:41
Hi Cypher...thanks for getting back so quickly.
I ran the Malwarebytes scan and it found a rootkit.agent.
I shut down immediately, but it still shows on GMER.
Logs as follows.....
_________________________________________________________

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3952

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

04/04/2010 12:53:08
mbam-log-2010-04-04 (12-53-08).txt

Scan type: Quick scan
Objects scanned: 121849
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\sdaxjvyf.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
________________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 14:11:20
Windows 6.0.6002 Service Pack 2
Running: 8ih3gfvs.exe; Driver: C:\Users\Michael\AppData\Local\Temp\fwddipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8F69C320] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 866CA650

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] sdaxjvyf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1

---- EOF - GMER 1.0.15 ----
______________________________________________________________

info.txt logfile of random's system information tool 1.06 2010-04-04 14:13:14

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Camera Assistant Software for Toshiba-->C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe -runfromtemp -l0x0009
Canon MP620 series User Registration-->C:\Program Files\Canon\IJEREG\MP620 series\UNINST.EXE
Catalyst Control Center - Branding-->MsiExec.exe /I{69E5255D-9D43-4CFF-8984-843ABD7753B7}
CD/DVD Drive Acoustic Silencer-->C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe -runfromtemp -l0x0009 -removeonly
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DVD MovieFactory for TOSHIBA-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\setup.exe" -l0x9
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"F:\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Inkjet Printer/Scanner Extended Survey Program-->C:\Program Files\Canon\IJPLM\SETUP.EXE -R
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Search Enhancement Pack-->MsiExec.exe /X{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Realtek 8169 8168 8101E 8102E Ethernet Driver-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
REALTEK RTL8187B Wireless LAN Driver-->C:\Program Files\InstallShield Installation Information\{895722FE-25FE-4854-95AC-B0C42F9DBEDA}\Install.exe -uninst -l0x9
Realtek USB 2.0 Card Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly
Realtek WiFi Protected Setup Library-->C:\Program Files\InstallShield Installation Information\{02CA24DD-C8B0-4280-BE53-7862869C2EB1}\Install.exe -uninst -l0x9
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Windows Media Encoder (KB954156)-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} MSIPATCHREMOVE={E836F1B7-43FB-46B0-A0D9-E4D2A5951659} /qb
Spotify-->"C:\Program Files\Spotify\uninstall.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Professional-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TOSHIBA Assist-->C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA ConfigFree-->MsiExec.exe /X{0D5D0BEE-FBA9-4928-A50D-6CDFAB827755}
TOSHIBA Disc Creator-->MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER-->C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center-->C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Face Recognition-->"C:\Program Files\InstallShield Installation Information\{C730E42C-935A-45BB-A0C5-37E5234D111B}\setup.exe" -runfromtemp -l0x0409 -removeonly
TOSHIBA Face Recognition-->MsiExec.exe /I{C730E42C-935A-45BB-A0C5-37E5234D111B}
TOSHIBA Hardware Setup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2883F6F5-0509-43F3-868C-D50330DD9DD3}\setup.exe" -l0x9
TOSHIBA Manuals-->C:\Program Files\InstallShield Installation Information\{E7271ABF-69D3-4E9D-AA0A-2DE34C10A93D}\setup.exe -runfromtemp -l0x0009 -removeonly
Toshiba Online Product Information-->C:\Program Files\InstallShield Installation Information\{2290A680-4083-410A-ADCC-7092C67FC052}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA Recovery Disc Creator-->MsiExec.exe /X{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}
TOSHIBA Software Modem-->Tosmreg -U
TOSHIBA Supervisor Password-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B1E87C3-00DE-4898-8E39-E390AAEF2391}\setup.exe" -l0x9
Toshiba TEMPRO-->MsiExec.exe /X{1F259B2E-D2C7-486B-8A42-9803FA1527C8}
TOSHIBA Value Added Package-->C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
TRDCReminder-->C:\Program Files\InstallShield Installation Information\{773970F1-5EBA-4474-ADEE-1EA3B0A59492}\setup.exe -runfromtemp -l0x0409
TRORDCLauncher-->C:\Program Files\InstallShield Installation Information\{E65C7D8E-186D-484B-BEA8-DEF0331CE600}\setup.exe -runfromtemp -l0x0409
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Movie Maker-->MsiExec.exe /X{3D5044A5-97B8-45C0-B956-BB2376569188}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

=====HijackThis Backups=====

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CCS\Services\Tcpip\..\{87AA56ED-A143-48F5-91CC-8BF49C8C7720}: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CCS\Services\Tcpip\..\{51585390-698E-4A6D-8767-8E94DAE206B3}: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2010-03-31]
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.120,93.188.161.77 [2010-03-31]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AS: Spybot - Search and Destroy (disabled) (outdated)
AS: Windows Defender
AS: SUPERAntiSpyware

======System event log======

Computer Name: Mikes-Laptop
Event Code: 4227
Message: TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.
Record Number: 41884
Source Name: Tcpip
Time Written: 20090625153459.624000-000
Event Type: Warning
User:

Computer Name: Mikes-Laptop
Event Code: 4227
Message: TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate, causing all available local ports to be used and forcing TCP/IP to reuse a local port for an outgoing connection. To minimize the risk of data corruption, the TCP/IP standard requires a minimum time period to elapse between successive connections from a given local endpoint to a given remote endpoint.
Record Number: 41883
Source Name: Tcpip
Time Written: 20090625151530.534000-000
Event Type: Warning
User:

Computer Name: Mikes-Laptop
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 41868
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090625120449.000000-000
Event Type: Warning
User:

Computer Name: Mikes-Laptop
Event Code: 36
Message: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
Record Number: 41859
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090625120435.000000-000
Event Type: Warning
User:

Computer Name: Mikes-Laptop
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 41858
Source Name: Microsoft-Windows-Time-Service
Time Written: 20090625120435.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Mikes-Laptop
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {12c7a5c9-824a-4734-b7e9-107ae1ba1495}
Record Number: 823
Source Name: VSS
Time Written: 20081229190453.000000-000
Event Type: Error
User:

Computer Name: Mikes-Laptop
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 814
Source Name: Microsoft-Windows-WMI
Time Written: 20081229185243.000000-000
Event Type: Error
User:

Computer Name: Mikes-Laptop
Event Code: 3086
Message: The system locale has changed. Existing data will be deleted and the index must be recreated.

Context: Windows Application, SystemIndex Catalog

Record Number: 809
Source Name: Microsoft-Windows-Search
Time Written: 20081229185132.000000-000
Event Type: Warning
User:

Computer Name: Mikes-Laptop
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 782
Source Name: Microsoft-Windows-Search
Time Written: 20081229184504.000000-000
Event Type: Warning
User:

Computer Name: WIN-RUFB385ZSIZ
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 765
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20081229182437.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: WIN-RUFB385ZSIZ
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: WIN-RUFB385ZSIZ$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 715
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080529112944.761979-000
Event Type: Audit Success
User:

Computer Name: WIN-RUFB385ZSIZ
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 714
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080529112944.309579-000
Event Type: Audit Success
User:

Computer Name: WIN-RUFB385ZSIZ
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-RUFB385ZSIZ$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 713
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080529112944.309579-000
Event Type: Audit Success
User:

Computer Name: WIN-RUFB385ZSIZ
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: WIN-RUFB385ZSIZ$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 712
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080529112944.309579-000
Event Type: Audit Success
User:

Computer Name: WIN-RUFB385ZSIZ
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-1184844273-4240365556-1737602318-500
Account Name: Administrator
Domain Name: WIN-RUFB385ZSIZ
Logon ID: 0x37115
Record Number: 711
Source Name: Microsoft-Windows-Eventlog
Time Written: 20080529112932.032379-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\Samsung\Samsung PC Studio 3\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=17
"PROCESSOR_IDENTIFIER"=x86 Family 17 Model 3 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0301
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE

-----------------EOF-----------------
____________________________________________________________
Not enough characters...log.txt on next post
_____________________________________________

Thanks again.

sassenach
2010-04-04, 16:43
Logfile of random's system information tool 1.06 (written by random/random)
Run by Michael at 2010-04-04 14:12:39
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 48 GB (62%) free of 76 GB
Total RAM: 2813 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:13:08, on 04/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Michael\Documents\RSIT.exe
C:\Users\Michael\Desktop\Michael.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [Toshiba TEMPO] C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Toshiba TEMPRO] C:\Program Files\Toshiba TEMPRO\TemproTray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TOSHIBA Online Product Information] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe (User 'Default user')
O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\TOSHIBA\TRDCReminder\TRDCReminder.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10511 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2489578407-3687330752-2571076998-1004Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2489578407-3687330752-2571076998-1004UA.job
C:\Windows\tasks\User_Feed_Synchronization-{B7797B0D-8026-4878-9932-A5757720FC15}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-04-08 6037504]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-12-06 1029416]
"NDSTray.exe"=NDSTray.exe []
"cfFncEnabler.exe"=cfFncEnabler.exe []
"Toshiba TEMPO"=C:\Program Files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe []
"topi"=C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe [2009-03-16 6158240]
"Camera Assistant Software"=C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [2008-09-26 417792]
"TPwrMain"=C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2008-01-17 431456]
"SmoothView"=C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2008-01-25 509816]
"00TCrdMain"=C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2008-03-19 716800]
"Toshiba Registration"=C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [2008-01-11 574864]
"Skytel"=C:\Windows\Skytel.exe [2007-11-20 1826816]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2009-11-16 2054360]
"Toshiba TEMPRO"=C:\Program Files\Toshiba TEMPRO\TemproTray.exe [2009-12-01 1045976]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-03-30 437584]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"TOSCDSPD"=TOSCDSPD.EXE []
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-07-26 3883856]
"EA Core"=C:\Program Files\Electronic Arts\EADM\Core.exe -silent []
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-21 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-21 202240]
"TOSHIBA Online Product Information"=C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe [2009-03-16 6158240]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]

C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8d97e84-1f9c-11df-889f-001e33752359}]
shell\AutoRun\command - D:\Setup.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-04-04 14:12:39 ----D---- C:\rsit
2010-04-01 23:19:20 ----A---- C:\Windows\system32\browserchoice.exe
2010-03-31 11:30:13 ----D---- C:\Program Files\Windows Portable Devices
2010-03-31 10:01:24 ----A---- C:\Windows\system32\UIAnimation.dll
2010-03-31 10:01:23 ----A---- C:\Windows\system32\UIRibbonRes.dll
2010-03-31 10:01:22 ----A---- C:\Windows\system32\UIRibbon.dll
2010-03-31 10:00:02 ----A---- C:\Windows\system32\WMPhoto.dll
2010-03-31 10:00:00 ----A---- C:\Windows\system32\cdd.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\XpsRasterService.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\d3d10warp.dll
2010-03-31 09:59:58 ----A---- C:\Windows\system32\d2d1.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\XpsPrint.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\WindowsCodecs.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2010-03-31 09:59:57 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\OpcServices.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\dxdiagn.dll
2010-03-31 09:59:57 ----A---- C:\Windows\system32\dxdiag.exe
2010-03-31 09:59:56 ----A---- C:\Windows\system32\xpsservices.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\FntCache.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\dxgi.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\DWrite.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d11.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d10level9.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d10core.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d10_1core.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d10_1.dll
2010-03-31 09:59:56 ----A---- C:\Windows\system32\d3d10.dll
2010-03-31 09:58:40 ----A---- C:\Windows\system32\WPDShextAutoplay.exe
2010-03-31 09:58:40 ----A---- C:\Windows\system32\wpdbusenum.dll
2010-03-31 09:58:40 ----A---- C:\Windows\system32\BthMtpContextHandler.dll
2010-03-31 09:58:34 ----A---- C:\Windows\system32\PortableDeviceConnectApi.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\WPDShServiceObj.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\wpdshext.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\wpd_ci.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\PortableDeviceWMDRM.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2010-03-31 09:58:31 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2010-03-31 09:58:30 ----A---- C:\Windows\system32\WPDSp.dll
2010-03-31 09:56:10 ----A---- C:\Windows\system32\oleaccrc.dll
2010-03-31 09:56:09 ----A---- C:\Windows\system32\oleacc.dll
2010-03-31 09:56:08 ----A---- C:\Windows\system32\UIAutomationCore.dll
2010-03-31 09:39:24 ----A---- C:\Windows\system32\nshhttp.dll
2010-03-31 09:39:11 ----A---- C:\Windows\system32\httpapi.dll
2010-03-31 09:24:20 ----A---- C:\Windows\system32\jscript.dll
2010-03-31 09:22:50 ----A---- C:\Windows\system32\mshtml.dll
2010-03-31 09:22:40 ----A---- C:\Windows\system32\ieframe.dll
2010-03-31 09:22:37 ----A---- C:\Windows\system32\iertutil.dll
2010-03-31 09:22:35 ----A---- C:\Windows\system32\urlmon.dll
2010-03-31 09:22:34 ----A---- C:\Windows\system32\wininet.dll
2010-03-31 09:22:32 ----A---- C:\Windows\system32\msfeeds.dll
2010-03-31 09:22:31 ----A---- C:\Windows\system32\occache.dll
2010-03-31 09:22:30 ----A---- C:\Windows\system32\iedkcs32.dll
2010-03-31 09:22:29 ----A---- C:\Windows\system32\mstime.dll
2010-03-31 09:22:24 ----A---- C:\Windows\system32\ieui.dll
2010-03-31 09:22:21 ----A---- C:\Windows\system32\iepeers.dll
2010-03-31 09:22:20 ----A---- C:\Windows\system32\ieUnatt.exe
2010-03-31 09:22:19 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-03-31 09:22:18 ----A---- C:\Windows\system32\iesysprep.dll
2010-03-31 09:22:17 ----A---- C:\Windows\system32\jsproxy.dll
2010-03-31 09:22:15 ----A---- C:\Windows\system32\ie4uinit.exe
2010-03-31 09:22:14 ----A---- C:\Windows\system32\msfeedssync.exe
2010-03-31 09:22:13 ----A---- C:\Windows\system32\iesetup.dll
2010-03-31 09:22:12 ----A---- C:\Windows\system32\iernonce.dll
2010-03-31 09:21:48 ----A---- C:\Windows\system32\tzres.dll
2010-03-31 09:19:29 ----A---- C:\Windows\system32\secproc_isv.dll
2010-03-31 09:19:26 ----A---- C:\Windows\system32\secproc.dll
2010-03-31 09:19:11 ----A---- C:\Windows\system32\RMActivate_isv.exe
2010-03-31 09:19:08 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-03-31 09:19:07 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2010-03-31 09:19:04 ----A---- C:\Windows\system32\RMActivate.exe
2010-03-31 09:19:02 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2010-03-31 09:19:01 ----A---- C:\Windows\system32\secproc_ssp.dll
2010-03-31 09:19:00 ----A---- C:\Windows\system32\msdrm.dll
2010-03-31 09:18:43 ----A---- C:\Windows\system32\gameux.dll
2010-03-31 09:18:35 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-03-31 09:18:35 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-03-29 15:21:53 ----D---- C:\Windows\ERDNT
2010-03-29 15:21:07 ----D---- C:\Program Files\ERUNT
2010-03-29 13:12:02 ----SHD---- C:\Windows\system32\%APPDATA%
2010-03-29 11:48:32 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2010-03-29 11:48:06 ----D---- C:\Users\Michael\AppData\Roaming\SUPERAntiSpyware.com
2010-03-29 11:48:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-29 10:36:54 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-03-29 10:36:54 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-29 08:22:03 ----A---- C:\Windows\ntbtlog.txt
2010-03-28 18:11:36 ----A---- C:\Windows\system32\RtlLib.dll
2010-03-28 18:11:36 ----A---- C:\Windows\system32\libeay32.dll
2010-03-28 18:11:36 ----A---- C:\Windows\system32\IpLib.dll
2010-03-28 18:11:36 ----A---- C:\Windows\system32\EnumDevLib.dll
2010-03-28 17:44:16 ----D---- C:\Temp
2010-03-28 12:42:32 ----D---- C:\Users\Michael\AppData\Roaming\Malwarebytes
2010-03-28 12:42:19 ----D---- C:\ProgramData\Malwarebytes
2010-03-28 12:42:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-28 12:40:16 ----D---- C:\Users\Michael\AppData\Roaming\ESET
2010-03-28 12:38:47 ----D---- C:\ProgramData\ESET
2010-03-28 12:38:47 ----D---- C:\Program Files\ESET
2010-03-28 12:05:02 ----D---- C:\Windows\system32\eu-ES
2010-03-28 12:05:02 ----D---- C:\Windows\system32\ca-ES
2010-03-28 12:04:58 ----D---- C:\Windows\system32\vi-VN
2010-03-28 11:29:57 ----D---- C:\Windows\system32\EventProviders
2010-03-28 11:14:43 ----D---- C:\ProgramData\Office Genuine Advantage
2010-03-28 11:07:25 ----D---- C:\Users\Michael\AppData\Roaming\Mozilla
2010-03-28 11:05:28 ----A---- C:\Windows\system32\mshtmler.dll
2010-03-28 11:05:28 ----A---- C:\Windows\system32\mshtmled.dll
2010-03-28 11:05:28 ----A---- C:\Windows\system32\icardie.dll
2010-03-28 11:05:28 ----A---- C:\Windows\system32\admparse.dll
2010-03-28 11:05:27 ----A---- C:\Windows\system32\msls31.dll
2010-03-28 11:05:27 ----A---- C:\Windows\system32\ieakeng.dll
2010-03-28 11:05:27 ----A---- C:\Windows\system32\corpol.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\licmgr10.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\inseng.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\imgutil.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\ieaksie.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\dxtrans.dll
2010-03-28 11:05:26 ----A---- C:\Windows\system32\dxtmsft.dll
2010-03-28 11:05:25 ----A---- C:\Windows\system32\WinFXDocObj.exe
2010-03-28 11:05:25 ----A---- C:\Windows\system32\wextract.exe
2010-03-28 11:05:25 ----A---- C:\Windows\system32\webcheck.dll
2010-03-28 11:05:25 ----A---- C:\Windows\system32\msrating.dll
2010-03-28 11:05:25 ----A---- C:\Windows\system32\ieakui.dll
2010-03-28 11:05:24 ----A---- C:\Windows\system32\vbscript.dll
2010-03-28 11:05:24 ----A---- C:\Windows\system32\url.dll
2010-03-28 11:05:24 ----A---- C:\Windows\system32\pngfilt.dll
2010-03-28 11:05:24 ----A---- C:\Windows\system32\ieapfltr.dll
2010-03-28 11:05:24 ----A---- C:\Windows\system32\advpack.dll
2010-03-28 11:05:23 ----A---- C:\Windows\system32\mshta.exe
2010-03-28 11:05:23 ----A---- C:\Windows\system32\iexpress.exe
2010-03-28 11:05:22 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2010-03-28 11:05:22 ----A---- C:\Windows\system32\SetDepNx.exe
2010-03-28 11:05:22 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2010-03-28 11:05:22 ----A---- C:\Windows\system32\PDMSetup.exe
2010-03-25 17:04:07 ----D---- C:\Program Files\Spotify

======List of files/folders modified in the last 1 months======

2010-04-04 14:12:56 ----D---- C:\Windows\Prefetch
2010-04-04 14:12:42 ----D---- C:\Windows\Temp
2010-04-04 13:11:31 ----D---- C:\Windows\inf
2010-04-04 13:11:31 ----AD---- C:\Windows\System32
2010-04-04 13:11:31 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-04 12:56:31 ----D---- C:\Windows
2010-04-04 12:55:04 ----D---- C:\Windows\system32\drivers
2010-04-04 12:55:04 ----D---- C:\Windows\en-US
2010-04-04 11:50:37 ----SHD---- C:\System Volume Information
2010-04-02 18:54:17 ----D---- C:\Windows\system32\Tasks
2010-04-01 23:20:06 ----D---- C:\Windows\winsxs
2010-04-01 23:19:45 ----D---- C:\Windows\system32\catroot
2010-03-31 14:36:26 ----D---- C:\Program Files\Movie Maker
2010-03-31 14:00:48 ----D---- C:\Windows\Tasks
2010-03-31 11:58:41 ----D---- C:\Windows\Microsoft.NET
2010-03-31 11:56:30 ----RSD---- C:\Windows\assembly
2010-03-31 11:49:30 ----D---- C:\Windows\rescache
2010-03-31 11:34:20 ----D---- C:\Windows\system32\catroot2
2010-03-31 11:30:14 ----D---- C:\Program Files\Internet Explorer
2010-03-31 11:30:13 ----RSD---- C:\Windows\Fonts
2010-03-31 11:30:13 ----RD---- C:\Program Files
2010-03-31 11:30:13 ----D---- C:\Windows\system32\migration
2010-03-31 11:30:13 ----D---- C:\Windows\system32\en-US
2010-03-31 11:30:13 ----D---- C:\Windows\AppPatch
2010-03-31 11:30:13 ----D---- C:\Program Files\Windows Mail
2010-03-31 11:30:12 ----D---- C:\Windows\system32\wbem
2010-03-31 11:30:11 ----D---- C:\Windows\system32\zh-TW
2010-03-31 11:30:11 ----D---- C:\Windows\system32\zh-HK
2010-03-31 11:30:11 ----D---- C:\Windows\system32\zh-CN
2010-03-31 11:30:11 ----D---- C:\Windows\system32\uk-UA
2010-03-31 11:30:11 ----D---- C:\Windows\system32\tr-TR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\th-TH
2010-03-31 11:30:11 ----D---- C:\Windows\system32\sv-SE
2010-03-31 11:30:11 ----D---- C:\Windows\system32\sr-Latn-CS
2010-03-31 11:30:11 ----D---- C:\Windows\system32\sl-SI
2010-03-31 11:30:11 ----D---- C:\Windows\system32\sk-SK
2010-03-31 11:30:11 ----D---- C:\Windows\system32\ru-RU
2010-03-31 11:30:11 ----D---- C:\Windows\system32\ro-RO
2010-03-31 11:30:11 ----D---- C:\Windows\system32\pt-PT
2010-03-31 11:30:11 ----D---- C:\Windows\system32\pt-BR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\pl-PL
2010-03-31 11:30:11 ----D---- C:\Windows\system32\nl-NL
2010-03-31 11:30:11 ----D---- C:\Windows\system32\nb-NO
2010-03-31 11:30:11 ----D---- C:\Windows\system32\lv-LV
2010-03-31 11:30:11 ----D---- C:\Windows\system32\lt-LT
2010-03-31 11:30:11 ----D---- C:\Windows\system32\ko-KR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\ja-JP
2010-03-31 11:30:11 ----D---- C:\Windows\system32\it-IT
2010-03-31 11:30:11 ----D---- C:\Windows\system32\hu-HU
2010-03-31 11:30:11 ----D---- C:\Windows\system32\hr-HR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\he-IL
2010-03-31 11:30:11 ----D---- C:\Windows\system32\fr-FR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\fi-FI
2010-03-31 11:30:11 ----D---- C:\Windows\system32\et-EE
2010-03-31 11:30:11 ----D---- C:\Windows\system32\es-ES
2010-03-31 11:30:11 ----D---- C:\Windows\system32\el-GR
2010-03-31 11:30:11 ----D---- C:\Windows\system32\de-DE
2010-03-31 11:30:11 ----D---- C:\Windows\system32\da-DK
2010-03-31 11:30:11 ----D---- C:\Windows\system32\cs-CZ
2010-03-31 11:30:11 ----D---- C:\Windows\system32\bg-BG
2010-03-31 11:30:11 ----D---- C:\Windows\system32\ar-SA
2010-03-31 10:45:55 ----SD---- C:\Windows\Downloaded Program Files
2010-03-31 09:50:39 ----SHD---- C:\Windows\Installer
2010-03-31 09:50:16 ----D---- C:\ProgramData\Microsoft Help
2010-03-30 22:18:06 ----D---- C:\Windows\Sun
2010-03-29 20:18:07 ----D---- C:\Windows\Branding
2010-03-29 11:48:32 ----HD---- C:\ProgramData
2010-03-29 11:32:31 ----D---- C:\ProgramData\Google
2010-03-29 11:32:31 ----D---- C:\Program Files\Google
2010-03-29 11:26:52 ----D---- C:\Program Files\Image-Line
2010-03-29 09:27:54 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-03-28 18:11:36 ----D---- C:\Program Files\Realtek
2010-03-28 18:11:26 ----HD---- C:\Program Files\InstallShield Installation Information
2010-03-28 18:09:53 ----D---- C:\Program Files\Camera Assistant Software for Toshiba
2010-03-28 18:08:30 ----D---- C:\Program Files\Toshiba TEMPRO
2010-03-28 17:53:04 ----D---- C:\Program Files\TOSHIBA
2010-03-28 17:50:41 ----D---- C:\Windows\system32\tr
2010-03-28 17:50:41 ----D---- C:\Windows\system32\sv
2010-03-28 17:50:41 ----D---- C:\Windows\system32\ru
2010-03-28 17:50:41 ----D---- C:\Windows\system32\pt
2010-03-28 17:50:41 ----D---- C:\Windows\system32\pl
2010-03-28 17:50:41 ----D---- C:\Windows\system32\no
2010-03-28 17:50:41 ----D---- C:\Windows\system32\nl
2010-03-28 17:50:41 ----D---- C:\Windows\system32\it
2010-03-28 17:50:41 ----D---- C:\Windows\system32\hu
2010-03-28 17:50:41 ----D---- C:\Windows\system32\fr
2010-03-28 17:50:41 ----D---- C:\Windows\system32\fi
2010-03-28 17:50:41 ----D---- C:\Windows\system32\es
2010-03-28 17:50:41 ----D---- C:\Windows\system32\el
2010-03-28 17:50:41 ----D---- C:\Windows\system32\de
2010-03-28 17:50:41 ----D---- C:\Windows\system32\da
2010-03-28 17:50:41 ----D---- C:\Windows\system32\cs
2010-03-28 17:50:35 ----D---- C:\Windows\system32\sk
2010-03-28 17:50:28 ----D---- C:\Windows\system32\en
2010-03-28 16:17:11 ----SD---- C:\ProgramData\Microsoft
2010-03-28 15:49:49 ----D---- C:\Windows\LiveKernelReports
2010-03-28 13:10:50 ----SD---- C:\Users\Michael\AppData\Roaming\Microsoft
2010-03-28 12:20:31 ----SHD---- C:\Boot
2010-03-28 12:10:24 ----D---- C:\Program Files\Windows Calendar
2010-03-28 12:10:19 ----D---- C:\Program Files\Windows Sidebar
2010-03-28 12:10:19 ----D---- C:\Program Files\Windows Media Player
2010-03-28 12:10:17 ----D---- C:\Program Files\Windows Collaboration
2010-03-28 12:10:16 ----D---- C:\Program Files\Windows Journal
2010-03-28 12:10:11 ----D---- C:\Program Files\Common Files\System
2010-03-28 12:10:10 ----D---- C:\Program Files\Windows Photo Gallery
2010-03-28 12:09:54 ----D---- C:\Windows\servicing
2010-03-28 12:09:54 ----D---- C:\Program Files\Windows Defender
2010-03-28 12:09:53 ----D---- C:\Windows\ehome
2010-03-28 12:08:53 ----D---- C:\Windows\IME
2010-03-28 12:08:52 ----D---- C:\Windows\system32\XPSViewer
2010-03-28 12:08:49 ----AD---- C:\Windows\system32\oobe
2010-03-28 12:08:39 ----D---- C:\Windows\system32\AdvancedInstallers
2010-03-28 12:08:38 ----D---- C:\Windows\system32\SLUI
2010-03-28 12:08:38 ----D---- C:\Windows\system32\setup
2010-03-28 12:08:37 ----D---- C:\Windows\system32\manifeststore
2010-03-28 12:08:25 ----D---- C:\Windows\system32\migwiz
2010-03-28 12:04:57 ----D---- C:\Windows\system32\Boot
2010-03-28 12:02:59 ----D---- C:\Windows\system32\RTCOM
2010-03-28 11:09:49 ----D---- C:\Windows\PolicyDefinitions
2010-03-17 02:25:15 ----D---- C:\Windows\system32\config
2010-03-17 02:25:09 ----D---- C:\Windows\system32\spool
2010-03-17 02:25:09 ----D---- C:\Windows\system32\Msdtc
2010-03-17 02:25:08 ----D---- C:\Windows\registration
2010-03-09 22:47:38 ----SHD---- C:\$RECYCLE.BIN
2010-03-09 22:47:09 ----RD---- C:\Users
2010-03-09 22:46:33 ----SHD---- C:\Users\Michael\AppData\Roaming\lowsec
2010-03-09 22:29:52 ----D---- C:\Windows\Logs
2010-03-06 17:07:49 ----D---- C:\Program Files\Common Files
2010-03-06 17:07:39 ----D---- C:\Program Files\DivX
2010-03-06 17:00:35 ----D---- C:\Program Files\Canon
2010-03-06 16:58:36 ----D---- C:\Windows\twain_32
2010-03-06 16:41:46 ----D---- C:\Windows\system32\Samsung_USB_Drivers
2010-03-06 16:32:13 ----D---- C:\ProgramData\Apple Computer
2010-03-06 16:31:40 ----DC---- C:\Windows\system32\DRVSTORE
2010-03-06 16:05:10 ----D---- C:\Users\Michael\AppData\Roaming\Canon
2010-03-06 15:52:35 ----D---- C:\ProgramData\CanonIJPLM
2010-03-06 15:51:04 ----D---- C:\ProgramData\Adobe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver; C:\Windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2009-02-06 5632]
R2 eamon;eamon; C:\Windows\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R2 epfw;epfw; C:\Windows\system32\DRIVERS\epfw.sys [2009-12-18 135048]
R2 epfwwfp;epfwwfp; C:\Windows\system32\DRIVERS\epfwwfp.sys [2009-12-18 38240]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2008-04-22 3551232]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]
R3 Epfwndis;Eset Personal Firewall; C:\Windows\system32\DRIVERS\Epfwndis.sys [2010-01-08 33096]
R3 FwLnk;FwLnk Driver; C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-01-15 23848]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-04-09 2095512]
R3 MBAMProtector;MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [2010-03-30 20824]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-04-15 118784]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter; C:\Windows\system32\DRIVERS\RTL8187B.sys [2007-12-26 290304]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-12-06 196400]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16128]
R3 usbvideo;Chicony USB 2.0 Camera; C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]
R3 UVCFTR;UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [2008-07-15 17960]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGSp50.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]
S3 fwddipob;fwddipob; \??\C:\Users\Michael\AppData\Local\Temp\fwddipob.sys []
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-21 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]
S3 RTHDMIAzAudService;Service for HDMI; C:\Windows\system32\drivers\RtHDMIV.sys [2008-02-27 141408]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver; C:\Windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]
S3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-04-02 62976]
S3 StillCam;Still Serial Digital Camera Driver; C:\Windows\system32\DRIVERS\serscan.sys [2008-01-21 9216]
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2008-01-21 7680]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-21 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-21 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2006-10-05 9216]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2008-04-22 671744]
R2 ConfigFree Service;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
R2 IJPLMSVC;Inkjet Printer/Scanner Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2008-01-22 103808]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-03-30 303952]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]
R2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO); C:\Program Files\Toshiba TEMPRO\TemproSvc.exe [2009-12-01 116176]
R2 TNaviSrv;TOSHIBA Navi Support Service; C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [2008-04-11 83312]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2007-11-21 129632]
R2 TosCoSrv;TOSHIBA Power Saver; c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe [2008-01-17 431456]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service; c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2006-08-23 49152]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv; C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-08-25 77824]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-30 31048]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2009-11-16 20680]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-21 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usprserv;User Privilege Service; C:\Windows\System32\svchost.exe [2008-01-21 21504]

-----------------EOF-----------------

Cypher
2010-04-04, 18:49
Hi sassenach.
Good work so far.
Please continue with the instructions below.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:filefind
*sdaxjvyf*

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

sassenach
2010-04-04, 19:08
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:02 on 04/04/2010 by Michael (Administrator - Elevation successful)

========== filefind ==========

Searching for "*sdaxjvyf*"
C:\Windows\System32\drivers\sdaxjvyf.sys --a--- 860672 bytes [20:36 21/02/2010] [16:03 04/04/2010] (Unable to calculate MD5)

-=End Of File=-

Cypher
2010-04-04, 19:20
Hi sassenach.

Download and run OTM

Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.

Double-click OTM.exe to run it.
Right-click then copy the following code, Do not include the word Code.


:Services
sdaxjvyf
:Files
C:\Users\Michael\AppData\Roaming\lowsec
C:\Windows\System32\drivers\sdaxjvyf.sys
:Commands
[emptytemp]
[start explorer]
[Reboot]


Return to OTM, right-click then paste the code into the blank box below http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next.

Please re-run Gmer

Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in your next reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.



Logs/Information to Post in your Next Reply


OTM log.
Gmer.txt log.
Please give me an update on your computers performance.

sassenach
2010-04-04, 20:33
All processes killed
========== SERVICES/DRIVERS ==========
Error: No service named sdaxjvyf was found to stop!
Service\Driver key sdaxjvyf not found.
========== FILES ==========
C:\Users\Michael\AppData\Roaming\lowsec folder moved successfully.
File move failed. C:\Windows\System32\drivers\sdaxjvyf.sys scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Alice
->Temp folder emptied: 5252835 bytes
->Temporary Internet Files folder emptied: 142859924 bytes
->FireFox cache emptied: 4465609 bytes
->Google Chrome cache emptied: 35170358 bytes
->Flash cache emptied: 8422 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 103910 bytes

User: Michael
->Temp folder emptied: 1502116 bytes
->Temporary Internet Files folder emptied: 1648897783 bytes
->Java cache emptied: 8813790 bytes
->FireFox cache emptied: 3598242 bytes
->Flash cache emptied: 4318 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2126170 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 13050055 bytes
RecycleBin emptied: 15558 bytes

Total Files Cleaned = 1,779.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04042010_172538

Files moved on Reboot...
File C:\Windows\System32\drivers\sdaxjvyf.sys not found!

Registry entries deleted on Reboot...
________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 18:30:11
Windows 6.0.6002 Service Pack 2
Running: 8ih3gfvs.exe; Driver: C:\Users\Michael\AppData\Local\Temp\fwddipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8F0A8320] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85D8D0F0

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] sdaxjvyf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\sdaxjvyf@{2aae05d4-3cd3-6fe6-e1fa-d374760be60c} 1

---- EOF - GMER 1.0.15 ----

Cypher
2010-04-04, 20:38
Hi sassenach.

Rootkit

As you can see your computer is infected with a Rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are rootkits from Wikipedia (http://en.wikipedia.org/wiki/Rootkit)
Why are rootkits dangerous (http://www.f-secure.com/blacklight/rootkit.html)
How do I respond to a possible identity theft and how do I prevent it (http://www.dslreports.com/faq/10451)
When should do a reformat and reinstallation of my OS (http://www.dslreports.com/faq/10063)
Where to backup your files (http://www.microsoft.com/athome/security/update/wherebackup.mspx)
How to backup your files in Windows XP (http://www.microsoft.com/athome/security/update/howbackup.mspx)
Restoring your backups (http://support.microsoft.com/kb/309340)

Should you have any questions please feel free to ask.

Please let us know what you have decided to do in your next post.

sassenach
2010-04-04, 20:53
Thanks Cypher

This is my ex-wife's laptop which she bought from a friend and had no anti-virus or firewall installed. As far as I know she has not done any internet banking, but has used email accounts and MSN/facebook etc.

Vista is pre-installed and the serial number on the sticker under the laptop is faded. I do not have another copy, only an original XP.

If you believe that it is better to re-format, I'll do that and start again. I'll try to find the Vista keyfinder software and keychanger and borrow a copy.

Could any of the Toshiba recovery software allow me to re-install?

Otherwise if you think it is possible for you to try to remove it, then I am happy to try that.

Thanks

Cypher
2010-04-04, 21:09
Hi sassenach.

Could any of the Toshiba recovery software allow me to re-install
Im am not familiar with how the recovery partition works with Toshiba PC's but i found This (http://www.geekpolice.net/tutorials-guides-f13/toshiba-recovery-partition-hotkey-instructions-t18281.htm) link see if it helps.

or you can download/view the user manual from the Toshiba website. Start Here (http://www.csd.toshiba.com/cgi-bin/tais/support/jsp/home.jsp) and select "Tech Support Centre". Then enter in your laptop details and then click on the user guides.


Otherwise if you think it is possible for you to try to remove it, then I am happy to try that.
As i explained in my last post i can attempt to clean your PC as long as you understand it can never be trusted again.

The decision is yours please let me know what you decide yo do,

sassenach
2010-04-04, 23:25
Thanks Cypher,
If you believe that using the recovery system will return the laptop to it's default settings and OS, then I'll try that. As you say..even by trying to remove now..it still can't be trusted afterwards.
Unfortunately someone has formatted the recovery partition to make space, so I'll have to order a recovery disc with utilities & apps.
Thanks for all you help, especially on Easter Sunday. Much appreciated.

Cypher
2010-04-05, 11:59
Hi sassenach.

Thanks for all you help
You're most welcome.
I think you have made the right decision to reformat, if it were me in your position i would be doing the same.
Here are some free programs I recommend that could help you improve your computer's security after your reformat.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here (http://www.siteadvisor.com/)

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE (http://www.winpatrol.com/)

MVPS Hosts

Install MVPS Hosts File From Here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE (http://www.mvps.org/winhelp2002/hosts2.htm)

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update > Check for updates.
To update Office
Open up any Office program.
Go to Help > Check for Updates

Read some information HERE (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!

sassenach
2010-04-05, 14:29
Thanks again for all your help Cypher. I'm happy to close the thread as I'll wait for the recovery disc, which should put everything back to default. I'll use some of the suggested software too...so thanks for the advice.
:thanks:

Cypher
2010-04-05, 15:02
Hi sassenach.
Your welcome i will ask for this topic to be closed good luck.

Dakeyras
2010-04-05, 15:15
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.