PDA

View Full Version : win32/Tibs.IT (black desktop, no startmenu - unable to run checkdisk)



daviedoo
2012-03-20, 11:52
Hi there I was using stuble upon when microsoft security essentials discovered win32/Tibs.IT. everything dissapeared from my desktop (except recyle bin) and my start menu shows no shortcuts. I cant use the checkdisk utility and I havent be able to do so for some time. I ran various scans (malwarebytes, spybot S&D, housecall and microsoft security essentials) but nothing seems to have had any effect. I then uninstalled mse and dowloaded Avira but without effect. Can someone help please?

I have pasted the DSS.txt below. I cant seem to be able to zip the attach.txt file (when I right click and hover over "send to" the only option is the E: drive)

also when i search for spybot S&D through the start menu now i only have the option to uninstall or update so i have been unable to disable teatimer (perhaps something to do with installing avira?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Dave at 0:41:49 on 2012-03-20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.907 [GMT 0:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi9130~1\datamngr\toolbar\searchqudtx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi9130~1\datamngr\toolbar\searchqudtx.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw"&"prod=90"&"ver=10.0.1209
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/vistainstaller.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{B05071D1-02D8-45DD-8F81-1E0D002F30B5} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{C398C3C6-9D03-475E-8E3A-B72B4181E2A8} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{D3DFD185-6AFB-45A3-B9D6-41458A82876D} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dave\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-19 36000]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-11-26 25896]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-19 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-19 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-19 74640]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-19 1153368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-3-19 187904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-21 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2007-4-3 1131136]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2010-10-26 124368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-19 22:14:40 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0ff904c6-34ef-4e9a-8e28-0e4d3d46c797}\offreg.dll
2012-03-19 22:09:26 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0ff904c6-34ef-4e9a-8e28-0e4d3d46c797}\mpengine.dll
2012-03-19 22:05:57 -------- d-----w- c:\users\dave\appdata\roaming\Avira
2012-03-19 21:59:15 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-19 21:59:15 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-19 21:59:09 -------- d-----w- c:\programdata\Avira
2012-03-19 21:59:09 -------- d-----w- c:\program files\Avira
2012-03-19 21:20:13 -------- d-----w- C:\sh4ldr
2012-03-19 21:20:13 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16:31 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52:49 -------- d-----w- c:\programdata\CA
2012-03-19 10:52:32 -------- d-----w- c:\users\dave\appdata\local\{1BC13EEC-26E8-494F-AEF5-25EA833013FB}
2012-03-19 10:52:09 -------- d-----w- c:\users\dave\appdata\local\{2B65CE4D-03DC-4495-904F-35A1108253E3}
2012-03-17 21:39:35 -------- d-----w- c:\users\dave\appdata\local\{0E9475B5-BCFB-4959-9EDB-C35E445ED3A8}
2012-03-17 21:39:12 -------- d-----w- c:\users\dave\appdata\local\{5D0F0694-B04A-4CD2-8B8B-49E282763560}
2012-03-17 04:04:25 -------- d--h--w- c:\users\dave\appdata\local\{DA26CC54-4812-45B5-BF6B-FF75F6C5898D}
2012-03-17 04:03:59 -------- d--h--w- c:\users\dave\appdata\local\{5F496AA6-DBCB-457B-8C1D-1E1F57996582}
2012-03-15 23:50:21 -------- d--h--w- c:\users\dave\appdata\local\{2C7DBBEF-F60A-4115-946A-A2D5A7C0461E}
2012-03-15 23:49:58 -------- d--h--w- c:\users\dave\appdata\local\{06FBBEE2-07CB-4202-8538-9A81274D6449}
2012-03-15 03:18:14 -------- d--h--w- c:\users\dave\appdata\local\{0D5C7FC4-890C-40B1-9105-E227A3612254}
2012-03-15 03:17:51 -------- d--h--w- c:\users\dave\appdata\local\{A23510AB-314B-40A9-89C6-1B08F99D9EFD}
2012-03-14 11:23:22 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23:20 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23:20 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23:20 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22:52 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 11:22:36 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22:36 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:15:47 -------- d--h--w- c:\users\dave\appdata\local\{97B9EB11-6048-44EB-A0E1-0E97158C2ACC}
2012-03-14 11:15:24 -------- d--h--w- c:\users\dave\appdata\local\{36D168C0-DEB3-4732-B2D6-D35CC48E2B56}
2012-03-14 11:14:01 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-14 11:14:01 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-14 05:05:44 -------- d--h--w- c:\users\dave\appdata\local\{637640C3-7205-4210-B500-4211E4D207E0}
2012-03-13 13:49:58 -------- d--h--w- c:\users\dave\appdata\local\{03E04AA6-D3AC-47B3-A860-ECD7C7FD86AD}
2012-03-13 13:49:17 -------- d--h--w- c:\users\dave\appdata\local\{2B794DDB-933D-42BF-831B-AC7DCBB14F38}
2012-03-12 20:31:32 -------- d--h--w- c:\users\dave\appdata\local\{52A5C99F-E5F8-4DC5-B860-682C89C9047C}
2012-03-12 20:31:09 -------- d--h--w- c:\users\dave\appdata\local\{E6D1DA74-96AD-46F4-8416-AD42966FA2F7}
2012-03-12 08:30:54 -------- d--h--w- c:\users\dave\appdata\local\{7C9E6B5A-9987-4DCB-99EA-D954097FBC9D}
2012-03-12 08:30:26 -------- d--h--w- c:\users\dave\appdata\local\{129D6817-EC2A-4DD8-ABBD-FA863DA3A3AA}
2012-03-11 20:30:11 -------- d--h--w- c:\users\dave\appdata\local\{8E05C094-EAE7-4747-81B1-16B26F2AEF32}
2012-03-11 20:29:48 -------- d--h--w- c:\users\dave\appdata\local\{4A0FBA3C-50F8-47C6-A3F3-1D640BDE7600}
2012-03-11 08:29:32 -------- d--h--w- c:\users\dave\appdata\local\{189C4942-C3C1-4B92-B14F-FD0DEBF56A8D}
2012-03-11 08:29:09 -------- d--h--w- c:\users\dave\appdata\local\{844289F4-87F9-4468-961C-6039198887D8}
2012-03-08 17:30:35 -------- d--h--w- c:\users\dave\appdata\local\{ECDA783B-8663-473F-B7AA-604D75424FE4}
2012-03-08 17:30:11 -------- d--h--w- c:\users\dave\appdata\local\{9918B8BF-1D6F-4E41-812D-E350CCA061B2}
2012-03-08 05:29:57 -------- d--h--w- c:\users\dave\appdata\local\{D7B4BCDB-83ED-48C5-9735-0705B8E278D8}
2012-03-08 05:29:34 -------- d--h--w- c:\users\dave\appdata\local\{5CA2AD92-0AB9-44DB-A0ED-A9FF448C6F54}
2012-03-07 17:29:19 -------- d--h--w- c:\users\dave\appdata\local\{8EB251DF-7C4C-49F5-835A-D905BBA04EF5}
2012-03-07 17:28:55 -------- d--h--w- c:\users\dave\appdata\local\{9F1FE2DF-18B9-415A-85A1-B6E3097CA242}
2012-03-06 16:16:03 -------- d--h--w- c:\users\dave\appdata\local\{B99557F6-4B76-4E3E-9CE7-A89F8896EAC7}
2012-03-06 16:15:42 -------- d--h--w- c:\users\dave\appdata\local\{F1CF1DD3-9E4A-4E8A-B007-79A43CD66D22}
2012-03-06 00:49:15 -------- d--h--w- c:\users\dave\appdata\local\{C6E69A69-336D-4C5A-A689-8DBCD585134C}
2012-03-06 00:48:52 -------- d--h--w- c:\users\dave\appdata\local\{1CC9691F-F31B-4357-9EAF-833173AC5544}
2012-03-04 15:05:42 -------- d--h--w- c:\users\dave\appdata\local\kpnomfdm
2012-03-04 14:10:59 -------- d--h--w- c:\users\dave\appdata\local\{9F2425EF-7E97-4EB4-9A93-A07345BDDF42}
2012-03-04 14:10:36 -------- d--h--w- c:\users\dave\appdata\local\{420EFEFD-F5C9-42B4-8006-98A00A123572}
2012-03-04 01:57:41 -------- d--h--w- c:\users\dave\appdata\local\{01782B1E-5595-4A35-BA7B-32D8781858AB}
2012-03-04 01:57:18 -------- d--h--w- c:\users\dave\appdata\local\{E6AD3A87-27B6-471D-8BF3-2430E5BA9870}
2012-03-03 13:56:58 -------- d--h--w- c:\users\dave\appdata\local\{06326131-6327-48C2-9073-FCE032B11DD2}
2012-03-03 13:56:35 -------- d--h--w- c:\users\dave\appdata\local\{9C2A1188-E60E-4B3A-AB06-E4D97111F9BC}
2012-02-29 13:30:12 -------- d--h--w- c:\users\dave\appdata\local\{D0F2C65E-3183-4027-8EDA-FDA7512233FA}
2012-02-29 13:29:49 -------- d--h--w- c:\users\dave\appdata\local\{2B3493A4-35EF-4D67-9110-38727C3355EA}
2012-02-29 01:29:20 -------- d--h--w- c:\users\dave\appdata\local\{778F45C5-6C40-4905-8626-4E8A726DDDBC}
2012-02-29 01:28:54 -------- d--h--w- c:\users\dave\appdata\local\{18589A95-DD81-4D80-9426-C0FF048BE090}
2012-02-28 13:28:21 -------- d--h--w- c:\users\dave\appdata\local\{721C5EA9-BE79-412A-B4F5-3A18A4E0C5DC}
2012-02-28 13:27:59 -------- d--h--w- c:\users\dave\appdata\local\{CE87702B-BAF6-457F-B5CD-41E524D93011}
2012-02-27 21:57:49 -------- d--h--w- c:\users\dave\appdata\local\{4F7B63AC-B6AC-40C3-9E00-A227A9DCD6F0}
2012-02-27 21:57:24 -------- d--h--w- c:\users\dave\appdata\local\{11242BF4-0091-4753-9556-C539C4FD54C5}
2012-02-27 09:56:57 -------- d--h--w- c:\users\dave\appdata\local\{8707AC18-1B6C-42A3-83A6-5B0E2E585C53}
2012-02-27 09:56:35 -------- d--h--w- c:\users\dave\appdata\local\{E48A9D03-E395-43C2-AC0A-7CDF8DDE16C5}
2012-02-26 21:56:20 -------- d--h--w- c:\users\dave\appdata\local\{EF1FC201-BAC4-42A0-9209-18AF4000B862}
2012-02-26 21:55:52 -------- d--h--w- c:\users\dave\appdata\local\{15CEE049-367E-4F1A-8E59-BABB6EAC7B8D}
2012-02-24 11:46:24 -------- d--h--w- c:\users\dave\appdata\local\{80CF220E-AB07-4073-A880-5AE4B72ED5A4}
2012-02-24 11:46:01 -------- d--h--w- c:\users\dave\appdata\local\{C06FCC68-D610-4D3D-9C79-0CB80F916698}
2012-02-23 16:03:29 -------- d--h--w- c:\users\dave\appdata\local\{8E970C8A-C265-482C-A520-DB1BEE1091F3}
2012-02-23 16:03:06 -------- d--h--w- c:\users\dave\appdata\local\{E00136DA-EF51-403E-AD35-3D6904E361CB}
2012-02-22 13:04:30 -------- d--h--w- c:\users\dave\appdata\local\{A42A541D-D48D-4A34-885D-C4E0EEA1A66E}
2012-02-22 13:04:07 -------- d--h--w- c:\users\dave\appdata\local\{9FDB630E-BD28-43FF-810F-BB5646749181}
2012-02-21 20:58:02 -------- d--h--w- c:\users\dave\appdata\local\{95261E21-3B4C-4896-8748-0E9B4676460C}
2012-02-21 20:57:40 -------- d--h--w- c:\users\dave\appdata\local\{57805BF8-A605-4DC7-BC33-79A0FBF05F30}
2012-02-21 04:45:24 -------- d--h--w- c:\users\dave\appdata\local\{654ED9E3-6B44-4FBE-AE4E-CAAA7BAA21A9}
2012-02-21 04:44:47 -------- d--h--w- c:\users\dave\appdata\local\{E1C832E8-F993-4D0A-8534-985D41B73CFB}
2012-02-20 12:46:15 -------- d--h--w- c:\users\dave\appdata\local\{39305CDD-9A6B-4321-893F-534BAEF76ABC}
2012-02-20 12:45:52 -------- d--h--w- c:\users\dave\appdata\local\{8268B487-5B87-43C7-9C51-747994FFD3DF}
2012-02-19 23:49:44 -------- d--h--w- c:\users\dave\appdata\local\{0119D7FE-9A7D-4349-A048-17441AA75B5C}
2012-02-19 23:49:23 -------- d--h--w- c:\users\dave\appdata\local\{F97A2B26-3A3A-4E92-97B1-BD8ECC2B7F8F}
2012-02-19 11:48:55 -------- d--h--w- c:\users\dave\appdata\local\{2254F6FB-23E1-4D5E-A520-ED4EEF4166C2}
2012-02-19 11:48:32 -------- d--h--w- c:\users\dave\appdata\local\{B894DC5F-2A3F-44EA-8DA1-C37ED232209C}
.
==================== Find3M ====================
.
2012-03-19 10:49:15 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-19 10:49:12 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 0:43:37.74 ===============

My whole system seems to be hijacked now. Can't run or open anything without fake security software telling me its a virus and blocking it including task manager and anti virus programs. opening explorer or firefox takes me to the fake security software page. it wants me to buy the software to get rid of "viruses" by entering my card details which obviously i havent done. i had to use safe mose with networking to post this message. is there anything i can do?

Blade81
2012-03-23, 17:25
Hi,

Post attach.txt contents too.

daviedoo
2012-03-24, 06:39
Hi Blade81, thanks for replying.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 26/11/2008 16:57:21
System Uptime: 19/03/2012 10:48:25 (14 hours ago)
.
Motherboard: TOSHIBA | | EQUIUM A300D
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 93 GiB total, 8.049 GiB free.
D: is FIXED (NTFS) - 92 GiB total, 47.829 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: ADS Instant HDTV PCI
Device ID: ROOT\MEDIA\0000
Manufacturer: ADS Technologies
Name: ADS Instant HDTV PCI
PNP Device ID: ROOT\MEDIA\0000
Service: Ph3xIB32
.
==== System Restore Points ===================
.
RP967: 12/03/2012 08:31:09 - Windows Update
RP968: 13/03/2012 14:03:20 - Windows Update
RP969: 14/03/2012 13:03:15 - Scheduled Checkpoint
RP970: 15/03/2012 03:00:17 - Windows Update
RP971: 15/03/2012 03:28:14 - Windows Update
RP973: 15/03/2012 07:41:23 - Microsoft Antimalware Checkpoint
RP974: 16/03/2012 09:51:27 - Scheduled Checkpoint
RP975: 17/03/2012 00:00:02 - Scheduled Checkpoint
RP976: 17/03/2012 02:10:33 - Windows Update
RP978: 17/03/2012 13:11:50 - Microsoft Antimalware Checkpoint
RP979: 17/03/2012 19:38:09 - Windows Update
RP980: 19/03/2012 10:59:38 - Windows Update
RP982: 19/03/2012 14:22:33 - Microsoft Antimalware Checkpoint
RP983: 19/03/2012 21:58:10 - Removed SpyHunter
RP984: 19/03/2012 22:08:45 - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
Adobe Shockwave Player 11.6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
Avira Free Antivirus
Bluetooth Stack for Windows by Toshiba
Bonjour
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
Client Settings Tool
Compatibility Pack for the 2007 Office system
Conexant HD Audio
D3DX10
Derive 6 Trial Edition
DVD MovieFactory for TOSHIBA
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
ERUNT 1.1j
ESDX4000_4050_CX3900
Facebook Plug-In
getPlus(R) for Adobe
Google Chrome
Google Earth
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iCloud
iTunes
Java Auto Updater
Java(TM) 6 Update 29
Junk Mail filter update
JustCloud Setup
Logitech Gaming Software 5.04
Malwarebytes Anti-Malware version 1.60.1.1000
Marvell Miniport Driver
Mathcad 12
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.5
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual Basic 6.0 Enterprise Edition
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Web Publishing Wizard 1.53
Microsoft Works
Microsoft XML Parser
MobileMe Control Panel
Mozilla Firefox 11.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
myphotobook 3.5
NetWaiting
O2Micro Flash Memory Card Reader Driver (x86)
OGA Notifier 2.0.0048.0
Picasa 3
QuickTime
REALTEK RTL8187B Wireless LAN Driver
Realtek WiFi Protected Setup Library
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Segoe UI
Skins
Spybot - Search & Destroy
swMSM
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Manuals
Toshiba Online Product Information
TOSHIBA Recovery Disc Creator
TOSHIBA SD Memory Utilities
TOSHIBA Supervisor Password
Toshiba TEMPRO
TOSHIBA Value Added Package
TRDCReminder
TRORDCLauncher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VoiceOver Kit
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Encoder 9 Series
.
==== Event Viewer Messages From Past Week ========
.
20/03/2012 00:42:30, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume Vista.
20/03/2012 00:42:27, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
19/03/2012 10:51:00, Error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the UPnP Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
19/03/2012 10:49:14, Error: Service Control Manager [7000] - The TOSHIBA Bluetooth Service service failed to start due to the following error: The system cannot find the file specified.
19/03/2012 10:49:14, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
17/03/2012 21:37:44, Error: Microsoft Antimalware [3002] -
17/03/2012 21:37:18, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
17/03/2012 21:37:04, Error: EventLog [6008] - The previous system shutdown at 21:35:37 on 17/03/2012 was unexpected.
17/03/2012 20:47:28, Error: EventLog [6008] - The previous system shutdown at 20:39:40 on 17/03/2012 was unexpected.
17/03/2012 13:21:19, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
17/03/2012 04:00:50, Error: EventLog [6008] - The previous system shutdown at 03:56:47 on 17/03/2012 was unexpected.
16/03/2012 02:04:28, Error: EventLog [6008] - The previous system shutdown at 01:58:48 on 16/03/2012 was unexpected.
15/03/2012 03:14:15, Error: EventLog [6008] - The previous system shutdown at 03:08:56 on 15/03/2012 was unexpected.
14/03/2012 05:02:40, Error: EventLog [6008] - The previous system shutdown at 02:11:34 on 14/03/2012 was unexpected.
14/03/2012 01:17:45, Error: EventLog [6008] - The previous system shutdown at 01:09:19 on 14/03/2012 was unexpected.
13/03/2012 21:50:41, Error: EventLog [6008] - The previous system shutdown at 21:48:55 on 13/03/2012 was unexpected.
.
==== End Of File ===========================

Blade81
2012-03-24, 12:22
Hi

Download and run this (http://download.bleepingcomputer.com/grinler/unhide.exe) first.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

daviedoo
2012-03-24, 13:35
ComboFix 12-03-22.01 - Dave 24/03/2012 11:13:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.1103 [GMT 0:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~C3t0xq5tzNVBP3
c:\programdata\~C3t0xq5tzNVBP3r
c:\programdata\C3t0xq5tzNVBP3
c:\users\Dave\AppData\Local\gmgwrwdp.log
c:\users\Dave\AppData\Local\ifatevhs.log
c:\users\Dave\AppData\Local\mtpjjfhq.log
c:\users\Dave\AppData\Local\unmgteyy.log
c:\users\Dave\AppData\Local\vkcyrlcs.log
c:\users\Dave\AppData\Local\ygdqaalw.log
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-24 11:21 . 2012-03-24 11:21 -------- d-----w- c:\users\Dave\AppData\Local\temp
2012-03-24 10:14 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F92F4A4-82FF-49A8-A85D-457E2F32DA72}\mpengine.dll
2012-03-22 10:28 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-21 09:22 . 2012-03-21 09:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6A34014-E40A-4A8A-ACF8-92667FCD5DCC}\gapaengine.dll
2012-03-21 09:18 . 2012-03-21 09:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-21 01:39 . 2012-03-01 14:34 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABA4EC6B-2637-4C2E-8082-A05690254E6C}\mpengine.dll
2012-03-20 00:39 . 2012-03-20 00:39 -------- d-----w- c:\program files\ERUNT
2012-03-19 21:20 . 2012-03-19 22:02 -------- d-----w- C:\sh4ldr
2012-03-19 21:20 . 2012-03-19 21:20 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16 . 2012-03-19 22:02 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52 . 2012-03-19 20:52 -------- d-----w- c:\programdata\CA
2012-03-14 11:23 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-14 11:22 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:14 . 2012-03-14 11:14 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-14 11:14 . 2012-03-14 11:14 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-04 15:05 . 2012-03-04 21:43 -------- d-----w- c:\users\Dave\AppData\Local\kpnomfdm
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-24 10:52 . 2011-03-26 06:54 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-24 10:52 . 2011-03-26 06:59 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-02-23 09:18 . 2009-10-28 19:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57 . 2011-05-17 05:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 11:14 . 2011-05-10 11:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2010-10-26 1050072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw&prod=90&ver=10.0.1209" [?]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk /r \??\D:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Toshiba TEMPRO"=c:\program files\Toshiba TEMPRO\TemproTray.exe
"Toshiba TEMPO"=c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
"Toshiba Registration"=c:\program files\Toshiba\Registration\ToshibaRegistration.exe
"topi"=c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Desktop SMS"=c:\program files\IDM\Desktop SMS\DesktopSMS.exe /auto
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" /start
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
ShellIconOverlayIdentifiers-{04cd1f3e-81d5-4904-a3ab-e0f99a7d769d} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-CNXT_AUDIO_HDA - c:\program files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe
AddRemove-{02CA24DD-C8B0-4280-BE53-7862869C2EB1} - c:\program files\InstallShield Installation Information\{02CA24DD-C8B0-4280-BE53-7862869C2EB1}\Install.exe
AddRemove-{12B3A009-A080-4619-9A2A-C6DB151D8D67} - c:\program files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe
AddRemove-{37C866E4-AA67-4725-9E95-A39968DD7960} - c:\program files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 11:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-03-24 11:25:33
ComboFix-quarantined-files.txt 2012-03-24 11:25
.
Pre-Run: 7,815,135,232 bytes free
Post-Run: 8,816,091,136 bytes free
.
- - End Of File - - 1D0E2CB43CEB99E5858A519ACE3959B8


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Dave at 11:29:46 on 2012-03-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.919 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw"&"prod=90"&"ver=10.0.1209
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/vistainstaller.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{B05071D1-02D8-45DD-8F81-1E0D002F30B5} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{C398C3C6-9D03-475E-8E3A-B72B4181E2A8} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{D3DFD185-6AFB-45A3-B9D6-41458A82876D} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dave\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-11-26 25896]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-19 1153368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-3-19 187904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-21 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2007-4-3 1131136]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2010-10-26 124368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-24 11:25:38 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-24 11:25:35 -------- d-----w- c:\users\dave\appdata\local\temp
2012-03-24 11:10:42 98816 ----a-w- c:\windows\sed.exe
2012-03-24 11:10:42 518144 ----a-w- c:\windows\SWREG.exe
2012-03-24 11:10:42 256000 ----a-w- c:\windows\PEV.exe
2012-03-24 11:10:42 208896 ----a-w- c:\windows\MBR.exe
2012-03-24 10:54:54 -------- d-----w- c:\users\dave\appdata\local\{685A3C59-80C4-40E0-84B0-5CE7BC188697}
2012-03-24 10:54:27 -------- d-----w- c:\users\dave\appdata\local\{B57096A7-9CCB-4B34-824A-D17A0F28196F}
2012-03-24 10:14:55 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{3f92f4a4-82ff-49a8-a85d-457e2f32da72}\mpengine.dll
2012-03-24 10:05:52 -------- d-----w- c:\users\dave\appdata\local\{C0403E64-EE60-4E12-A496-3D78A64653D9}
2012-03-23 06:41:39 -------- d-----w- c:\users\dave\appdata\local\{3DB7B5ED-6FF8-4A30-9F5E-A894605740B2}
2012-03-23 06:41:17 -------- d-----w- c:\users\dave\appdata\local\{42F21821-6FB2-4035-9692-BD6439E2341E}
2012-03-22 10:28:43 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-03-22 02:36:26 -------- d-----w- c:\users\dave\appdata\local\{AA4A84FE-6B14-45CD-89C7-7977BFB2C73E}
2012-03-22 02:36:04 -------- d-----w- c:\users\dave\appdata\local\{F434C5CB-C1F0-4D60-99FD-AFC799308F0F}
2012-03-22 02:29:45 -------- d-----w- c:\users\dave\appdata\local\{EBEAE06C-35B9-4E4E-A3B0-BC7F3651D231}
2012-03-21 19:50:34 -------- d-----w- c:\users\dave\appdata\local\{3D5347F5-5695-4E3A-93F9-BE8361053D8E}
2012-03-21 10:29:44 -------- d-----w- c:\users\dave\appdata\local\{1105D119-4ED0-4534-AD94-65225A303D54}
2012-03-21 09:22:40 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d6a34014-e40a-4a8a-acf8-92667fcd5dcc}\gapaengine.dll
2012-03-21 09:18:11 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-21 01:39:51 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aba4ec6b-2637-4c2e-8082-a05690254e6c}\mpengine.dll
2012-03-20 21:35:46 -------- d-----w- c:\users\dave\appdata\local\{03C49178-C64D-4263-AFC6-2D4CDB013397}
2012-03-20 21:35:23 -------- d-----w- c:\users\dave\appdata\local\{3C0DA2E2-0619-42C5-98EE-C2E85AB72C70}
2012-03-20 09:35:05 -------- d-----w- c:\users\dave\appdata\local\{F1B0D6E7-722C-42A1-82D6-B7C2F494DE0D}
2012-03-20 09:34:42 -------- d-----w- c:\users\dave\appdata\local\{32BAE6DD-26C1-4A8B-B2FD-095793BCCBA9}
2012-03-19 21:20:13 -------- d-----w- C:\sh4ldr
2012-03-19 21:20:13 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16:31 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52:49 -------- d-----w- c:\programdata\CA
2012-03-19 10:52:32 -------- d-----w- c:\users\dave\appdata\local\{1BC13EEC-26E8-494F-AEF5-25EA833013FB}
2012-03-19 10:52:09 -------- d-----w- c:\users\dave\appdata\local\{2B65CE4D-03DC-4495-904F-35A1108253E3}
2012-03-17 21:39:35 -------- d-----w- c:\users\dave\appdata\local\{0E9475B5-BCFB-4959-9EDB-C35E445ED3A8}
2012-03-17 21:39:12 -------- d-----w- c:\users\dave\appdata\local\{5D0F0694-B04A-4CD2-8B8B-49E282763560}
2012-03-17 04:04:25 -------- d-----w- c:\users\dave\appdata\local\{DA26CC54-4812-45B5-BF6B-FF75F6C5898D}
2012-03-17 04:03:59 -------- d-----w- c:\users\dave\appdata\local\{5F496AA6-DBCB-457B-8C1D-1E1F57996582}
2012-03-15 23:50:21 -------- d-----w- c:\users\dave\appdata\local\{2C7DBBEF-F60A-4115-946A-A2D5A7C0461E}
2012-03-15 23:49:58 -------- d-----w- c:\users\dave\appdata\local\{06FBBEE2-07CB-4202-8538-9A81274D6449}
2012-03-15 03:18:14 -------- d-----w- c:\users\dave\appdata\local\{0D5C7FC4-890C-40B1-9105-E227A3612254}
2012-03-15 03:17:51 -------- d-----w- c:\users\dave\appdata\local\{A23510AB-314B-40A9-89C6-1B08F99D9EFD}
2012-03-14 11:23:22 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23:20 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23:20 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23:20 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22:52 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 11:22:36 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22:36 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:15:47 -------- d-----w- c:\users\dave\appdata\local\{97B9EB11-6048-44EB-A0E1-0E97158C2ACC}
2012-03-14 11:15:24 -------- d-----w- c:\users\dave\appdata\local\{36D168C0-DEB3-4732-B2D6-D35CC48E2B56}
2012-03-14 11:14:01 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-14 11:14:01 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-14 05:05:44 -------- d-----w- c:\users\dave\appdata\local\{637640C3-7205-4210-B500-4211E4D207E0}
2012-03-13 13:49:58 -------- d-----w- c:\users\dave\appdata\local\{03E04AA6-D3AC-47B3-A860-ECD7C7FD86AD}
2012-03-13 13:49:17 -------- d-----w- c:\users\dave\appdata\local\{2B794DDB-933D-42BF-831B-AC7DCBB14F38}
2012-03-12 20:31:32 -------- d-----w- c:\users\dave\appdata\local\{52A5C99F-E5F8-4DC5-B860-682C89C9047C}
2012-03-12 20:31:09 -------- d-----w- c:\users\dave\appdata\local\{E6D1DA74-96AD-46F4-8416-AD42966FA2F7}
2012-03-12 08:30:54 -------- d-----w- c:\users\dave\appdata\local\{7C9E6B5A-9987-4DCB-99EA-D954097FBC9D}
2012-03-12 08:30:26 -------- d-----w- c:\users\dave\appdata\local\{129D6817-EC2A-4DD8-ABBD-FA863DA3A3AA}
2012-03-11 20:30:11 -------- d-----w- c:\users\dave\appdata\local\{8E05C094-EAE7-4747-81B1-16B26F2AEF32}
2012-03-11 20:29:48 -------- d-----w- c:\users\dave\appdata\local\{4A0FBA3C-50F8-47C6-A3F3-1D640BDE7600}
2012-03-11 08:29:32 -------- d-----w- c:\users\dave\appdata\local\{189C4942-C3C1-4B92-B14F-FD0DEBF56A8D}
2012-03-11 08:29:09 -------- d-----w- c:\users\dave\appdata\local\{844289F4-87F9-4468-961C-6039198887D8}
2012-03-08 17:30:35 -------- d-----w- c:\users\dave\appdata\local\{ECDA783B-8663-473F-B7AA-604D75424FE4}
2012-03-08 17:30:11 -------- d-----w- c:\users\dave\appdata\local\{9918B8BF-1D6F-4E41-812D-E350CCA061B2}
2012-03-08 05:29:57 -------- d-----w- c:\users\dave\appdata\local\{D7B4BCDB-83ED-48C5-9735-0705B8E278D8}
2012-03-08 05:29:34 -------- d-----w- c:\users\dave\appdata\local\{5CA2AD92-0AB9-44DB-A0ED-A9FF448C6F54}
2012-03-07 17:29:19 -------- d-----w- c:\users\dave\appdata\local\{8EB251DF-7C4C-49F5-835A-D905BBA04EF5}
2012-03-07 17:28:55 -------- d-----w- c:\users\dave\appdata\local\{9F1FE2DF-18B9-415A-85A1-B6E3097CA242}
2012-03-06 16:16:03 -------- d-----w- c:\users\dave\appdata\local\{B99557F6-4B76-4E3E-9CE7-A89F8896EAC7}
2012-03-06 16:15:42 -------- d-----w- c:\users\dave\appdata\local\{F1CF1DD3-9E4A-4E8A-B007-79A43CD66D22}
2012-03-06 00:49:15 -------- d-----w- c:\users\dave\appdata\local\{C6E69A69-336D-4C5A-A689-8DBCD585134C}
2012-03-06 00:48:52 -------- d-----w- c:\users\dave\appdata\local\{1CC9691F-F31B-4357-9EAF-833173AC5544}
2012-03-04 15:05:42 -------- d-----w- c:\users\dave\appdata\local\kpnomfdm
2012-03-04 14:10:59 -------- d-----w- c:\users\dave\appdata\local\{9F2425EF-7E97-4EB4-9A93-A07345BDDF42}
2012-03-04 14:10:36 -------- d-----w- c:\users\dave\appdata\local\{420EFEFD-F5C9-42B4-8006-98A00A123572}
2012-03-04 01:57:41 -------- d-----w- c:\users\dave\appdata\local\{01782B1E-5595-4A35-BA7B-32D8781858AB}
2012-03-04 01:57:18 -------- d-----w- c:\users\dave\appdata\local\{E6AD3A87-27B6-471D-8BF3-2430E5BA9870}
2012-03-03 13:56:58 -------- d-----w- c:\users\dave\appdata\local\{06326131-6327-48C2-9073-FCE032B11DD2}
2012-03-03 13:56:35 -------- d-----w- c:\users\dave\appdata\local\{9C2A1188-E60E-4B3A-AB06-E4D97111F9BC}
2012-02-29 13:30:12 -------- d-----w- c:\users\dave\appdata\local\{D0F2C65E-3183-4027-8EDA-FDA7512233FA}
2012-02-29 13:29:49 -------- d-----w- c:\users\dave\appdata\local\{2B3493A4-35EF-4D67-9110-38727C3355EA}
2012-02-29 01:29:20 -------- d-----w- c:\users\dave\appdata\local\{778F45C5-6C40-4905-8626-4E8A726DDDBC}
2012-02-29 01:28:54 -------- d-----w- c:\users\dave\appdata\local\{18589A95-DD81-4D80-9426-C0FF048BE090}
2012-02-28 13:28:21 -------- d-----w- c:\users\dave\appdata\local\{721C5EA9-BE79-412A-B4F5-3A18A4E0C5DC}
2012-02-28 13:27:59 -------- d-----w- c:\users\dave\appdata\local\{CE87702B-BAF6-457F-B5CD-41E524D93011}
2012-02-27 21:57:49 -------- d-----w- c:\users\dave\appdata\local\{4F7B63AC-B6AC-40C3-9E00-A227A9DCD6F0}
2012-02-27 21:57:24 -------- d-----w- c:\users\dave\appdata\local\{11242BF4-0091-4753-9556-C539C4FD54C5}
2012-02-27 09:56:57 -------- d-----w- c:\users\dave\appdata\local\{8707AC18-1B6C-42A3-83A6-5B0E2E585C53}
2012-02-27 09:56:35 -------- d-----w- c:\users\dave\appdata\local\{E48A9D03-E395-43C2-AC0A-7CDF8DDE16C5}
2012-02-26 21:56:20 -------- d-----w- c:\users\dave\appdata\local\{EF1FC201-BAC4-42A0-9209-18AF4000B862}
2012-02-26 21:55:52 -------- d-----w- c:\users\dave\appdata\local\{15CEE049-367E-4F1A-8E59-BABB6EAC7B8D}
2012-02-24 11:46:24 -------- d-----w- c:\users\dave\appdata\local\{80CF220E-AB07-4073-A880-5AE4B72ED5A4}
2012-02-24 11:46:01 -------- d-----w- c:\users\dave\appdata\local\{C06FCC68-D610-4D3D-9C79-0CB80F916698}
2012-02-23 16:03:29 -------- d-----w- c:\users\dave\appdata\local\{8E970C8A-C265-482C-A520-DB1BEE1091F3}
2012-02-23 16:03:06 -------- d-----w- c:\users\dave\appdata\local\{E00136DA-EF51-403E-AD35-3D6904E361CB}
.
==================== Find3M ====================
.
2012-03-24 10:52:37 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-24 10:52:35 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:30:21.53 ===============

Blade81
2012-03-24, 16:25
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



DirLook::
c:\users\Dave\AppData\Local\kpnomfdm



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7 Update 3 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button under JRE.
Check the box that says:
Accept License Agreement.
Click on the jre-7u3-windows-i586.exe link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u3-windows-i586.exe to install the newest version.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

daviedoo
2012-03-24, 22:53
Hi Blade, Thanks for your continued help. The ESET scan didnt generate a report but no threats were found after the scan. I have pasted the dds.txt log and ComboFix log below and I can now zip files again (and so can attach the attch.txt file) if thats of any use?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.0
Run by Dave at 20:22:19 on 2012-03-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.981 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba TEMPRO\TemproTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Toshiba TEMPRO] c:\program files\toshiba tempro\TemproTray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw"&"prod=90"&"ver=10.0.1209
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/vistainstaller.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{B05071D1-02D8-45DD-8F81-1E0D002F30B5} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{C398C3C6-9D03-475E-8E3A-B72B4181E2A8} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{D3DFD185-6AFB-45A3-B9D6-41458A82876D} : DhcpNameServer = 194.168.4.100 194.168.8.100
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-11-26 25896]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-19 1153368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-3-19 187904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-7 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-21 21504]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2007-4-3 1131136]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\toshiba tempro\TemproSvc.exe [2010-10-26 124368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-24 18:58:41 -------- d-----w- c:\program files\ESET
2012-03-24 18:54:02 -------- d-----w- c:\users\dave\appdata\local\temp
2012-03-24 18:45:18 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-24 18:30:54 -------- d-----w- C:\ComboFix
2012-03-24 18:12:28 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-24 11:44:37 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{10a46923-dc17-497c-aa85-8d57c4145266}\mpengine.dll
2012-03-24 11:10:42 98816 ----a-w- c:\windows\sed.exe
2012-03-24 11:10:42 518144 ----a-w- c:\windows\SWREG.exe
2012-03-24 11:10:42 256000 ----a-w- c:\windows\PEV.exe
2012-03-24 11:10:42 208896 ----a-w- c:\windows\MBR.exe
2012-03-24 10:54:54 -------- d-----w- c:\users\dave\appdata\local\{685A3C59-80C4-40E0-84B0-5CE7BC188697}
2012-03-24 10:54:27 -------- d-----w- c:\users\dave\appdata\local\{B57096A7-9CCB-4B34-824A-D17A0F28196F}
2012-03-24 10:05:52 -------- d-----w- c:\users\dave\appdata\local\{C0403E64-EE60-4E12-A496-3D78A64653D9}
2012-03-23 06:41:39 -------- d-----w- c:\users\dave\appdata\local\{3DB7B5ED-6FF8-4A30-9F5E-A894605740B2}
2012-03-23 06:41:17 -------- d-----w- c:\users\dave\appdata\local\{42F21821-6FB2-4035-9692-BD6439E2341E}
2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-22 10:28:43 6582328 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-03-22 02:36:26 -------- d-----w- c:\users\dave\appdata\local\{AA4A84FE-6B14-45CD-89C7-7977BFB2C73E}
2012-03-22 02:36:04 -------- d-----w- c:\users\dave\appdata\local\{F434C5CB-C1F0-4D60-99FD-AFC799308F0F}
2012-03-22 02:29:45 -------- d-----w- c:\users\dave\appdata\local\{EBEAE06C-35B9-4E4E-A3B0-BC7F3651D231}
2012-03-21 19:50:34 -------- d-----w- c:\users\dave\appdata\local\{3D5347F5-5695-4E3A-93F9-BE8361053D8E}
2012-03-21 10:29:44 -------- d-----w- c:\users\dave\appdata\local\{1105D119-4ED0-4534-AD94-65225A303D54}
2012-03-21 09:22:40 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{d6a34014-e40a-4a8a-acf8-92667fcd5dcc}\gapaengine.dll
2012-03-21 09:18:11 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-21 01:39:51 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aba4ec6b-2637-4c2e-8082-a05690254e6c}\mpengine.dll
2012-03-20 21:35:46 -------- d-----w- c:\users\dave\appdata\local\{03C49178-C64D-4263-AFC6-2D4CDB013397}
2012-03-20 21:35:23 -------- d-----w- c:\users\dave\appdata\local\{3C0DA2E2-0619-42C5-98EE-C2E85AB72C70}
2012-03-20 09:35:05 -------- d-----w- c:\users\dave\appdata\local\{F1B0D6E7-722C-42A1-82D6-B7C2F494DE0D}
2012-03-20 09:34:42 -------- d-----w- c:\users\dave\appdata\local\{32BAE6DD-26C1-4A8B-B2FD-095793BCCBA9}
2012-03-19 21:20:13 -------- d-----w- C:\sh4ldr
2012-03-19 21:20:13 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16:31 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52:49 -------- d-----w- c:\programdata\CA
2012-03-19 10:52:32 -------- d-----w- c:\users\dave\appdata\local\{1BC13EEC-26E8-494F-AEF5-25EA833013FB}
2012-03-19 10:52:09 -------- d-----w- c:\users\dave\appdata\local\{2B65CE4D-03DC-4495-904F-35A1108253E3}
2012-03-17 21:39:35 -------- d-----w- c:\users\dave\appdata\local\{0E9475B5-BCFB-4959-9EDB-C35E445ED3A8}
2012-03-17 21:39:12 -------- d-----w- c:\users\dave\appdata\local\{5D0F0694-B04A-4CD2-8B8B-49E282763560}
2012-03-17 04:04:25 -------- d-----w- c:\users\dave\appdata\local\{DA26CC54-4812-45B5-BF6B-FF75F6C5898D}
2012-03-17 04:03:59 -------- d-----w- c:\users\dave\appdata\local\{5F496AA6-DBCB-457B-8C1D-1E1F57996582}
2012-03-15 23:50:21 -------- d-----w- c:\users\dave\appdata\local\{2C7DBBEF-F60A-4115-946A-A2D5A7C0461E}
2012-03-15 23:49:58 -------- d-----w- c:\users\dave\appdata\local\{06FBBEE2-07CB-4202-8538-9A81274D6449}
2012-03-15 03:18:14 -------- d-----w- c:\users\dave\appdata\local\{0D5C7FC4-890C-40B1-9105-E227A3612254}
2012-03-15 03:17:51 -------- d-----w- c:\users\dave\appdata\local\{A23510AB-314B-40A9-89C6-1B08F99D9EFD}
2012-03-14 11:23:22 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23:20 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23:20 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23:20 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22:52 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-14 11:22:36 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22:36 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:15:47 -------- d-----w- c:\users\dave\appdata\local\{97B9EB11-6048-44EB-A0E1-0E97158C2ACC}
2012-03-14 11:15:24 -------- d-----w- c:\users\dave\appdata\local\{36D168C0-DEB3-4732-B2D6-D35CC48E2B56}
2012-03-14 11:14:01 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-14 11:14:01 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-14 05:05:44 -------- d-----w- c:\users\dave\appdata\local\{637640C3-7205-4210-B500-4211E4D207E0}
2012-03-13 13:49:58 -------- d-----w- c:\users\dave\appdata\local\{03E04AA6-D3AC-47B3-A860-ECD7C7FD86AD}
2012-03-13 13:49:17 -------- d-----w- c:\users\dave\appdata\local\{2B794DDB-933D-42BF-831B-AC7DCBB14F38}
2012-03-12 20:31:32 -------- d-----w- c:\users\dave\appdata\local\{52A5C99F-E5F8-4DC5-B860-682C89C9047C}
2012-03-12 20:31:09 -------- d-----w- c:\users\dave\appdata\local\{E6D1DA74-96AD-46F4-8416-AD42966FA2F7}
2012-03-12 08:30:54 -------- d-----w- c:\users\dave\appdata\local\{7C9E6B5A-9987-4DCB-99EA-D954097FBC9D}
2012-03-12 08:30:26 -------- d-----w- c:\users\dave\appdata\local\{129D6817-EC2A-4DD8-ABBD-FA863DA3A3AA}
2012-03-11 20:30:11 -------- d-----w- c:\users\dave\appdata\local\{8E05C094-EAE7-4747-81B1-16B26F2AEF32}
2012-03-11 20:29:48 -------- d-----w- c:\users\dave\appdata\local\{4A0FBA3C-50F8-47C6-A3F3-1D640BDE7600}
2012-03-11 08:29:32 -------- d-----w- c:\users\dave\appdata\local\{189C4942-C3C1-4B92-B14F-FD0DEBF56A8D}
2012-03-11 08:29:09 -------- d-----w- c:\users\dave\appdata\local\{844289F4-87F9-4468-961C-6039198887D8}
2012-03-08 17:30:35 -------- d-----w- c:\users\dave\appdata\local\{ECDA783B-8663-473F-B7AA-604D75424FE4}
2012-03-08 17:30:11 -------- d-----w- c:\users\dave\appdata\local\{9918B8BF-1D6F-4E41-812D-E350CCA061B2}
2012-03-08 05:29:57 -------- d-----w- c:\users\dave\appdata\local\{D7B4BCDB-83ED-48C5-9735-0705B8E278D8}
2012-03-08 05:29:34 -------- d-----w- c:\users\dave\appdata\local\{5CA2AD92-0AB9-44DB-A0ED-A9FF448C6F54}
2012-03-07 17:29:19 -------- d-----w- c:\users\dave\appdata\local\{8EB251DF-7C4C-49F5-835A-D905BBA04EF5}
2012-03-07 17:28:55 -------- d-----w- c:\users\dave\appdata\local\{9F1FE2DF-18B9-415A-85A1-B6E3097CA242}
2012-03-06 16:16:03 -------- d-----w- c:\users\dave\appdata\local\{B99557F6-4B76-4E3E-9CE7-A89F8896EAC7}
2012-03-06 16:15:42 -------- d-----w- c:\users\dave\appdata\local\{F1CF1DD3-9E4A-4E8A-B007-79A43CD66D22}
2012-03-06 00:49:15 -------- d-----w- c:\users\dave\appdata\local\{C6E69A69-336D-4C5A-A689-8DBCD585134C}
2012-03-06 00:48:52 -------- d-----w- c:\users\dave\appdata\local\{1CC9691F-F31B-4357-9EAF-833173AC5544}
2012-03-04 15:05:42 -------- d-----w- c:\users\dave\appdata\local\kpnomfdm
2012-03-04 14:10:59 -------- d-----w- c:\users\dave\appdata\local\{9F2425EF-7E97-4EB4-9A93-A07345BDDF42}
2012-03-04 14:10:36 -------- d-----w- c:\users\dave\appdata\local\{420EFEFD-F5C9-42B4-8006-98A00A123572}
2012-03-04 01:57:41 -------- d-----w- c:\users\dave\appdata\local\{01782B1E-5595-4A35-BA7B-32D8781858AB}
2012-03-04 01:57:18 -------- d-----w- c:\users\dave\appdata\local\{E6AD3A87-27B6-471D-8BF3-2430E5BA9870}
2012-03-03 13:56:58 -------- d-----w- c:\users\dave\appdata\local\{06326131-6327-48C2-9073-FCE032B11DD2}
2012-03-03 13:56:35 -------- d-----w- c:\users\dave\appdata\local\{9C2A1188-E60E-4B3A-AB06-E4D97111F9BC}
2012-02-29 13:30:12 -------- d-----w- c:\users\dave\appdata\local\{D0F2C65E-3183-4027-8EDA-FDA7512233FA}
2012-02-29 13:29:49 -------- d-----w- c:\users\dave\appdata\local\{2B3493A4-35EF-4D67-9110-38727C3355EA}
2012-02-29 01:29:20 -------- d-----w- c:\users\dave\appdata\local\{778F45C5-6C40-4905-8626-4E8A726DDDBC}
2012-02-29 01:28:54 -------- d-----w- c:\users\dave\appdata\local\{18589A95-DD81-4D80-9426-C0FF048BE090}
2012-02-28 13:28:21 -------- d-----w- c:\users\dave\appdata\local\{721C5EA9-BE79-412A-B4F5-3A18A4E0C5DC}
2012-02-28 13:27:59 -------- d-----w- c:\users\dave\appdata\local\{CE87702B-BAF6-457F-B5CD-41E524D93011}
2012-02-27 21:57:49 -------- d-----w- c:\users\dave\appdata\local\{4F7B63AC-B6AC-40C3-9E00-A227A9DCD6F0}
2012-02-27 21:57:24 -------- d-----w- c:\users\dave\appdata\local\{11242BF4-0091-4753-9556-C539C4FD54C5}
2012-02-27 09:56:57 -------- d-----w- c:\users\dave\appdata\local\{8707AC18-1B6C-42A3-83A6-5B0E2E585C53}
2012-02-27 09:56:35 -------- d-----w- c:\users\dave\appdata\local\{E48A9D03-E395-43C2-AC0A-7CDF8DDE16C5}
2012-02-26 21:56:20 -------- d-----w- c:\users\dave\appdata\local\{EF1FC201-BAC4-42A0-9209-18AF4000B862}
2012-02-26 21:55:52 -------- d-----w- c:\users\dave\appdata\local\{15CEE049-367E-4F1A-8E59-BABB6EAC7B8D}
2012-02-24 11:46:24 -------- d-----w- c:\users\dave\appdata\local\{80CF220E-AB07-4073-A880-5AE4B72ED5A4}
2012-02-24 11:46:01 -------- d-----w- c:\users\dave\appdata\local\{C06FCC68-D610-4D3D-9C79-0CB80F916698}
.
==================== Find3M ====================
.
2012-03-24 18:44:16 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-24 18:44:14 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-03-24 18:12:04 567696 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:23:52.14 ===============

ComboFix 12-03-22.01 - Dave 24/03/2012 18:34:05.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.1190 [GMT 0:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-24 18:42 . 2012-03-24 18:45 -------- d-----w- c:\users\Dave\AppData\Local\temp
2012-03-24 18:42 . 2012-03-24 18:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-03-24 18:42 . 2012-03-24 18:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-24 18:42 . 2012-03-24 18:42 -------- d-----w- c:\users\dave II\AppData\Local\temp
2012-03-24 18:13 . 2012-03-24 18:13 -------- d-----w- c:\program files\Common Files\Java
2012-03-24 18:12 . 2012-03-24 18:12 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-24 11:44 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{10A46923-DC17-497C-AA85-8D57C4145266}\mpengine.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-22 10:28 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-21 09:22 . 2012-03-21 09:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6A34014-E40A-4A8A-ACF8-92667FCD5DCC}\gapaengine.dll
2012-03-21 09:18 . 2012-03-21 09:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-20 00:39 . 2012-03-20 00:39 -------- d-----w- c:\program files\ERUNT
2012-03-19 21:20 . 2012-03-19 22:02 -------- d-----w- C:\sh4ldr
2012-03-19 21:20 . 2012-03-19 21:20 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16 . 2012-03-19 22:02 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52 . 2012-03-19 20:52 -------- d-----w- c:\programdata\CA
2012-03-14 11:23 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-14 11:22 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:14 . 2012-03-14 11:14 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-14 11:14 . 2012-03-14 11:14 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-04 15:05 . 2012-03-04 21:43 -------- d-----w- c:\users\Dave\AppData\Local\kpnomfdm
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-24 18:44 . 2011-03-26 06:54 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-24 18:44 . 2011-03-26 06:59 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-03-24 18:12 . 2010-06-01 14:21 567696 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-01 14:34 . 2012-03-21 01:39 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABA4EC6B-2637-4C2E-8082-A05690254E6C}\mpengine.dll
2012-02-23 09:18 . 2009-10-28 19:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57 . 2011-05-17 05:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 11:14 . 2011-05-10 11:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Dave\AppData\Local\kpnomfdm ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2010-10-26 1050072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw&prod=90&ver=10.0.1209" [?]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk /r \??\D:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Toshiba TEMPRO"=c:\program files\Toshiba TEMPRO\TemproTray.exe
"Toshiba TEMPO"=c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
"Toshiba Registration"=c:\program files\Toshiba\Registration\ToshibaRegistration.exe
"topi"=c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Desktop SMS"=c:\program files\IDM\Desktop SMS\DesktopSMS.exe /auto
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" /start
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\system32\rpcnet.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-03-24 18:53:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-24 18:52
ComboFix2.txt 2012-03-24 11:25
.
Pre-Run: 10,043,334,656 bytes free
Post-Run: 10,002,788,352 bytes free
.
- - End Of File - - 3030798B6A6C2B783A439FA5EAB93B58

Blade81
2012-03-25, 00:47
I can now zip files again (and so can attach the attch.txt file) if thats of any use?
I believe we can do without one now :)


Open notepad and copy/paste the text in the quotebox below into it:



Folder::
c:\users\Dave\AppData\Local\kpnomfdm



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. Any symptoms left?

daviedoo
2012-03-25, 10:38
Hey Blade,

The only issue I seem to have left (and I'm sure if its a symptom of malware problems) is that I can't run a Check Disk. When I try to, I get the message:
"Windows can't check the disk while its in use -- Do you want to check the hard disk for errors the next time you start your computer?"
Even if I schedule a disk check nothing happens when I restart the system.

ComboFix.txt below

ComboFix 12-03-22.01 - Dave 25/03/2012 7:45.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.1044 [GMT 1:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Dave\AppData\Local\kpnomfdm
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 06:53 . 2012-03-25 06:54 -------- d-----w- c:\users\Dave\AppData\Local\temp
2012-03-25 06:53 . 2012-03-25 06:53 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-03-25 06:53 . 2012-03-25 06:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 06:53 . 2012-03-25 06:53 -------- d-----w- c:\users\dave II\AppData\Local\temp
2012-03-25 06:35 . 2012-03-25 06:35 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A6BE68A-E8D4-4C29-968C-5B5418BFF750}\offreg.dll
2012-03-24 20:55 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9A6BE68A-E8D4-4C29-968C-5B5418BFF750}\mpengine.dll
2012-03-24 18:13 . 2012-03-24 18:13 -------- d-----w- c:\program files\Common Files\Java
2012-03-24 18:12 . 2012-03-24 18:12 637848 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-22 10:28 . 2012-03-13 19:15 6582328 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-21 09:22 . 2012-03-21 09:22 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D6A34014-E40A-4A8A-ACF8-92667FCD5DCC}\gapaengine.dll
2012-03-21 09:18 . 2012-03-21 09:18 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-21 01:39 . 2012-03-01 14:34 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABA4EC6B-2637-4C2E-8082-A05690254E6C}\mpengine.dll
2012-03-20 00:39 . 2012-03-20 00:39 -------- d-----w- c:\program files\ERUNT
2012-03-19 21:20 . 2012-03-19 22:02 -------- d-----w- C:\sh4ldr
2012-03-19 21:20 . 2012-03-19 21:20 -------- d-----w- c:\program files\Enigma Software Group
2012-03-19 21:16 . 2012-03-19 22:02 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-19 20:52 . 2012-03-19 20:52 -------- d-----w- c:\programdata\CA
2012-03-14 11:23 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 11:23 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-14 11:23 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-14 11:23 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-14 11:23 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-14 11:23 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 11:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-03-14 11:22 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-14 11:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 11:14 . 2012-03-14 11:14 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-14 11:14 . 2012-03-14 11:14 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-25 06:31 . 2011-03-26 06:54 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-03-25 06:31 . 2011-03-26 06:59 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-03-24 18:12 . 2010-06-01 14:21 567696 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 09:18 . 2009-10-28 19:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-21 20:57 . 2011-05-17 05:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-14 11:14 . 2011-05-10 11:59 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-29 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2010-10-26 1050072]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTAyNzMyMDMwLVU4NSsxLVQzLUZQOTIrNi1CQVI5RysxLVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUxJQys3LVNQMSsxLVNVUCs0LUZMMTArMS1TUDFTMisxLUREVCsw&prod=90&ver=10.0.1209" [?]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\Toshiba\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\c:\0autocheck autochk /r \??\D:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Toshiba TEMPRO"=c:\program files\Toshiba TEMPRO\TemproTray.exe
"Toshiba TEMPO"=c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
"Toshiba Registration"=c:\program files\Toshiba\Registration\ToshibaRegistration.exe
"topi"=c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui
"Desktop SMS"=c:\program files\IDM\Desktop SMS\DesktopSMS.exe /auto
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" /start
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-07 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\0p53vkpy.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=421&sr=0&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 07:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-03-25 07:56:55
ComboFix-quarantined-files.txt 2012-03-25 06:56
ComboFix2.txt 2012-03-24 18:54
ComboFix3.txt 2012-03-24 11:25
.
Pre-Run: 9,647,280,128 bytes free
Post-Run: 9,588,187,136 bytes free
.
- - End Of File - - 8AFA2577FB371890D4028676EE833AA3

Blade81
2012-03-25, 13:33
Hi,

Have you tried in safe mode? If it still doesn't work then we'll need to try from recovery environment. Do you have Vista installation dvd handy?

daviedoo
2012-03-27, 18:29
Hey Blade,

The same thing happens when I try a disk check in safe mode. I dont remember getting a vista installation dvd when I got the laptop, however its not that big a deal. Im happy that my system is virus free! I can't thank you enough for all your help :) Should I uninstall ComboFix etc?

Blade81
2012-03-27, 20:50
You're welcome :)

Let's see some final steps.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

daviedoo
2012-03-30, 19:17
Hey Blade,

I followed those final steps and didnt encounter any other problems, thanks for the advice and once again thanks for all your help! much appreciated :)

Blade81
2012-03-31, 11:16
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.