Computer running random numbered .exe files (3538920.exe)

jontomtom · #11 (**permalink**) 20-05-2009, 12:24 AM

Heres the Combofix log:

ComboFix 09-05-19.08 - celina 05/19/2009 16:13.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1765 [GMT -7:00]
Running from: c:\users\celina\Desktop\ComboFix.exe
Command switches used :: c:\users\celina\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
c:\users\celina\AppData\Loca l\Temp\g6pehzm3c.exe
c:\users\celina\AppData\Local\Temp\305456 787.exe
c:\users\celina\lpvnv.exe
.

((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-19 04:50 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 04:50 . 2009-05-19 04:50 -------- d-----w c:\program files\Avira
2009-05-19 04:50 . 2009-05-19 04:50 -------- d-----w c:\programdata\Avira
2009-05-19 04:50 . 2009-05-19 04:50 -------- d-----w c:\users\All Users\Avira
2009-05-19 04:45 . 2009-05-19 04:45 -------- d-----w c:\users\celina\AppData\Roaming\PCToolsFirewallPlu s
2009-05-19 04:42 . 2009-03-06 23:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-19 04:42 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-19 04:42 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-19 04:42 . 2008-09-22 19:29 97408 ----a-w c:\windows\system32\drivers\pctfw.sys
2009-05-19 04:42 . 2009-05-19 04:42 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-19 04:42 . 2009-01-21 17:38 95640 ----a-w c:\windows\system32\drivers\pctplfw.sys
2009-05-19 04:42 . 2009-05-19 04:45 -------- d-----w c:\program files\PC Tools Firewall Plus
2009-05-19 04:37 . 2009-05-19 04:37 -------- d-----w c:\programdata\NortonInstaller
2009-05-19 04:37 . 2009-05-19 04:37 -------- d-----w c:\users\All Users\NortonInstaller
2009-05-18 05:20 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-18 05:20 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 05:20 . 2009-05-18 05:20 -------- d-----w c:\programdata\Malwarebytes
2009-05-18 05:20 . 2009-05-18 05:20 -------- d-----w c:\users\All Users\Malwarebytes
2009-05-18 05:20 . 2009-05-18 05:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 04:08 . 2009-05-16 04:08 -------- d-----w c:\program files\CCleaner
2009-05-16 04:07 . 2009-05-16 04:07 -------- d-----w c:\program files\Trend Micro
2009-05-14 13:17 . 2009-05-14 13:17 -------- d-----w c:\users\celina\AppData\Local\Apple
2009-05-13 01:47 . 2009-04-27 12:21 28928 ----a-w c:\windows\system32\uxtuneup.dll
2009-05-13 01:47 . 2009-04-27 12:21 17152 ----a-w c:\windows\system32\authuitu.dll
2009-05-13 01:47 . 2009-05-13 01:47 361216 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-05-13 01:28 . 2009-05-13 01:28 -------- d-----w c:\programdata\Yahoo! Companion
2009-05-13 01:28 . 2009-05-13 01:28 -------- d-----w c:\users\All Users\Yahoo! Companion
2009-05-13 01:07 . 2009-05-13 01:07 -------- d-----w c:\program files\Kaspersky Lab
2009-05-13 01:07 . 2009-05-13 01:07 -------- d-----w c:\programdata\Kaspersky Lab
2009-05-13 01:07 . 2009-05-13 01:07 -------- d-----w c:\users\All Users\Kaspersky Lab
2009-05-13 00:16 . 2009-05-13 00:27 -------- d-----w c:\users\celina\AppData\Local\Apple Computer
2009-05-12 23:37 . 2009-05-19 04:45 -------- d---a-w c:\programdata\TEMP
2009-05-12 23:37 . 2009-05-19 04:45 -------- d---a-w c:\users\All Users\TEMP
2009-05-12 23:30 . 2009-05-12 23:30 -------- d-----w C:\VundoFix Backups
2009-05-12 23:25 . 2009-05-12 23:25 -------- d-----w C:\!KillBox
2009-05-11 14:45 . 2009-05-11 14:46 -------- d-----w c:\program files\mp3Tag Pro 6
2009-05-11 14:18 . 2009-05-13 01:19 -------- d-----w c:\users\All Users\Google
2009-05-11 01:49 . 2009-05-13 01:43 -------- d-----w c:\users\celina\AppData\Roaming\TuneUpMedia
2009-05-11 00:31 . 2009-05-11 00:31 -------- d-----w c:\programdata\MailFrontier
2009-05-11 00:31 . 2009-05-11 00:31 -------- d-----w c:\users\All Users\MailFrontier
2009-05-11 00:31 . 2008-02-23 02:41 22528 ----a-w c:\windows\system32\netiougc.exe
2009-05-11 00:31 . 2008-02-23 04:38 170496 ----a-w c:\windows\system32\tcpipcfg.dll
2009-05-11 00:29 . 2009-05-11 00:29 -------- d-----w c:\programdata\CheckPoint
2009-05-11 00:29 . 2009-05-11 00:29 -------- d-----w c:\users\All Users\CheckPoint
2009-05-11 00:29 . 2009-05-11 01:21 -------- d-----w c:\windows\Internet Logs
2009-05-10 23:38 . 2009-05-10 23:38 -------- d-----w c:\programdata\Azureus
2009-05-10 23:38 . 2009-05-10 23:38 -------- d-----w c:\users\All Users\Azureus
2009-05-10 23:38 . 2009-05-10 23:38 -------- d-----w c:\program files\Conduit
2009-05-10 23:38 . 2009-05-10 23:41 -------- d-----w c:\users\celina\AppData\Roaming\Azureus
2009-05-10 23:37 . 2009-05-10 23:42 -------- d-----w c:\program files\Vuze
2009-05-10 08:43 . 2009-05-13 01:01 -------- d-----w c:\programdata\Kaspersky Lab Setup Files
2009-05-10 08:43 . 2009-05-13 01:01 -------- d-----w c:\users\All Users\Kaspersky Lab Setup Files
2009-05-06 03:36 . 2009-05-06 03:36 -------- d-----w c:\programdata\ESET
2009-05-06 03:36 . 2009-05-06 03:36 -------- d-----w c:\users\All Users\ESET
2009-05-06 03:00 . 2009-05-13 01:47 604416 ----a-w c:\windows\system32\TUProgSt.exe
2009-05-06 03:00 . 2009-05-13 01:47 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-05-03 07:14 . 2009-05-03 07:15 34 ----a-w c:\users\celina\jagex_runescape_preferences.dat
2009-05-03 07:14 . 2009-05-03 07:14 -------- d-----w C:\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-19 15:00 . 2008-02-19 02:27 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-19 14:52 . 2009-02-27 01:57 -------- d-----w c:\program files\Common Files\ArcSoft
2009-05-19 10:00 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-05-15 14:15 . 2008-10-12 05:57 -------- d-----w c:\program files\MySpace
2009-05-13 01:29 . 2008-02-19 03:30 -------- d-----w c:\program files\Google
2009-05-13 01:28 . 2008-07-03 20:28 -------- d-----w c:\program files\Yahoo!
2009-05-04 14:21 . 2009-03-21 21:18 -------- d-----w c:\program files\WinSCP
2009-05-04 14:21 . 2009-03-21 02:52 -------- d-----w c:\program files\LibUSB-Win32
2009-05-04 14:21 . 2009-03-15 10:36 -------- d-----w c:\program files\QuickFreedom
2009-05-03 22:52 . 2009-04-11 18:03 -------- d-----w c:\program files\iTunes
2009-04-30 05:04 . 2008-09-07 05:05 -------- d-----w c:\program files\uTorrent
2009-04-11 18:03 . 2009-04-11 18:03 -------- d-----w c:\program files\iPod
2009-04-11 18:03 . 2008-09-22 04:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-11 17:54 . 2009-04-11 17:54 680 ----a-w c:\users\celina\AppData\Local\d3d9caps.dat
2009-04-10 01:26 . 2008-09-22 04:33 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 14:42 . 2008-02-19 03:05 -------- d-----w c:\program files\Java
2009-03-19 23:32 . 2009-04-11 18:03 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 03:38 . 2009-04-17 03:03 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 03:03 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-09 12:19 . 2009-02-15 22:07 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2009-05-13 01:27 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-05-13 01:27 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-05-13 01:27 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-05-13 01:27 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-05-13 01:27 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-05-13 01:27 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-05-13 01:27 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-05-13 01:27 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-05-13 01:27 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-05-13 01:27 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-05-13 01:27 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-05-13 01:27 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-05-13 01:27 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-05-13 01:27 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-05-13 01:27 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-05-13 01:27 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-05-13 01:27 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-05-13 01:27 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 06:59 . 2009-03-06 06:59 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-06 06:59 . 2009-03-06 06:59 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-03 04:46 . 2009-04-17 03:03 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 03:03 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-17 03:03 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 03:03 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 03:03 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 03:03 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 03:03 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 03:03 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 03:03 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 03:03 17408 ----a-w c:\windows\system32\iashost.exe
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2008-07-02 04:12 . 2008-07-02 04:12 13 --sh--r c:\windows\System32\drivers\fbd.sys
2008-07-02 04:12 . 2008-07-02 04:12 3 --sh--r c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-18_22.58.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-19 04:47 . 2009-05-19 04:47 54272 c:\windows\winsxs\x86_microsoft.vc90.openmp_1fc8b3 b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39\vcomp 90.dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 62976 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 RUS.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 46080 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 KOR.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 46592 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 JPN.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 64512 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 ITA.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 66048 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 FRA.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 65024 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 ESP.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 65024 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 ESN.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 56832 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 ENU.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 66560 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 DEU.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 39936 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 CHT.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 38912 c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3 b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1\MFC90 CHS.DLL
+ 2009-05-19 04:47 . 2009-05-19 04:47 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a 1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfcm90u. dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 59904 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a 1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfcm90.d ll
+ 2008-01-21 01:58 . 2009-05-19 04:46 53204 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-19 04:46 76518 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2009-05-19 04:42 . 2008-09-22 19:29 97408 c:\windows\System32\DriverStore\FileRepository\pct driver.inf_701a2ceb\pctfw.sys
+ 2009-05-19 04:50 . 2009-02-13 19:50 28376 c:\windows\System32\drivers\ssmdrv.sys
+ 2009-05-19 04:50 . 2009-03-30 17:33 96104 c:\windows\System32\drivers\avipbb.sys
+ 2009-05-19 05:01 . 2009-05-19 05:01 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\Low\index.dat
+ 2008-03-28 06:44 . 2009-05-19 05:01 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-28 06:44 . 2009-05-18 15:06 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-19 05:01 . 2009-05-19 05:01 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
- 2008-03-28 06:44 . 2009-05-18 15:06 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-28 06:44 . 2009-05-19 05:01 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-19 05:01 . 2009-05-19 05:01 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\Low\History.IE5\ind ex.dat
+ 2008-03-28 06:44 . 2009-05-19 05:01 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2008-03-28 06:44 . 2009-05-18 15:06 65536 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2009-01-31 11:27 . 2009-01-31 11:27 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2009-05-19 10:03 . 2009-05-19 10:03 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-05-19 10:03 . 2009-05-19 10:03 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-04-17 10:01 . 2009-04-17 10:01 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-10-27 05:07 . 2006-10-27 05:07 17680 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.4518\PXBPROXY .DLL
- 2006-11-02 10:25 . 2009-05-11 00:59 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-05-19 04:42 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-05-11 00:59 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-05-19 04:42 51200 c:\windows\inf\infpub.dat
+ 2008-07-02 04:13 . 2009-05-19 04:46 9678 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3883227351-921757509-4105750440-1000_UserData.bin
- 2009-05-18 22:54 . 2009-05-18 22:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2009-05-19 04:44 . 2009-05-19 04:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2009-05-19 04:44 . 2009-05-19 04:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
- 2009-05-18 22:54 . 2009-05-18 22:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-05-19 04:47 . 2009-05-19 04:47 655872 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a 1e18e3b_9.0.30729.1_none_e163563597edeada\msvcr90. dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 572928 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a 1e18e3b_9.0.30729.1_none_e163563597edeada\msvcp90. dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 225280 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a 1e18e3b_9.0.30729.1_none_e163563597edeada\msvcm90. dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 161784 c:\windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a 1e18e3b_9.0.30729.1_none_e29d1181971ae11e\ATL90.dl l
+ 2009-05-19 00:13 . 2009-04-25 12:39 102400 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22867_none_8428 69855fff5a59\iecompat.dll
+ 2009-05-19 00:13 . 2009-04-25 03:31 102400 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18777_none_8393 fcce46e9d680\iecompat.dll
+ 2008-07-02 04:19 . 2009-05-19 03:26 294496 c:\windows\System32\WDI\SuspendPerformanceDiagnost ics_SystemData_S3.bin
- 2005-01-02 06:55 . 2009-04-30 10:01 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2005-01-02 06:55 . 2009-05-19 10:02 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2006-11-02 10:25 . 2009-05-19 04:42 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2009-05-11 00:59 143360 c:\windows\inf\infstrng.dat
+ 2009-05-19 10:02 . 2009-05-19 10:02 350064 c:\windows\assembly\GAC\Microsoft.Office.Interop.P owerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Off ice.Interop.PowerPoint.dll
+ 2009-05-19 04:47 . 2009-05-19 04:47 3783672 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a 1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfc90u.d ll
+ 2009-05-19 04:47 . 2009-05-19 04:47 3768312 c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a 1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf\mfc90.dl l
+ 2009-05-19 00:13 . 2009-04-14 07:03 2409776 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22409_none_f31abf3b8 48fce75\OESpamFilter.dat
+ 2009-05-19 00:13 . 2009-04-14 07:04 2409776 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18239_none_f270b0c66 b8a8557\OESpamFilter.dat
+ 2009-05-19 00:13 . 2009-04-14 07:18 2409776 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.21038_none_f112e6c38 782ae1b\OESpamFilter.dat
+ 2009-05-19 00:13 . 2009-04-14 07:06 2409776 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16843_none_f079a0786 e71784d\OESpamFilter.dat
- 2006-11-02 10:22 . 2009-05-13 01:54 5668864 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-05-19 04:47 5668864 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2008-03-28 07:12 . 2009-05-18 22:53 1098872 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache3.0.0.0.dat
+ 2008-03-28 07:12 . 2009-05-19 04:43 1098872 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache3.0.0.0.dat
+ 2005-01-02 06:55 . 2009-05-19 10:02 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2005-01-02 06:55 . 2009-04-30 10:01 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-01-30 04:41 . 2009-04-30 10:01 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-01-30 04:41 . 2009-05-19 10:02 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-05-19 23:12 . 2009-05-19 23:12 5668864 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2008-02-19 02:01 . 2009-05-19 04:47 75061665 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001 c50b5_blobs.bin
+ 2006-11-02 10:24 . 2009-05-07 07:16 24699336 c:\windows\System32\mrt.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-01-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-07 177472]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]

c:\users\celina\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
"Diagnostic Manager"=c:\users\celina\AppData\Local\Temp\305456 787.exe
"uidenhiufgsduiazghs"=c:\users\celina\AppData\Loca l\Temp\g6pehzm3c.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe"
"WPCUMI"=c:\windows\system32\WpcUmi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{087F007B-2697-4B8C-BC19-A43CEFF8B1B2}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09FDA0D4-422C-4F29-B063-92BB3C49EE9F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{810F9CB2-037E-4A63-9376-341F6C4BC618}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4C27B4F8-D644-4B4C-B258-F4566BA7DB72}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{36631A96-7F6B-4B33-A580-47F7D7264968}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{5ED56C52-2354-4D6A-B3AF-415E142F91CE}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{27BDF258-7176-4EEC-8C7B-E832575FB851}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{53212EAA-8A17-4E17-ADA7-A4430A7A14D8}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{BB4F6892-2816-4F22-B2B9-0EC1A8C14AEE}d:\\bin\\ia\\core\\mdm_util.exe"= UDP:d:\bin\ia\core\mdm_util.exe:MDM_Util
"UDP Query User{84DCA084-0DD2-4E04-9EDC-9C4221691627}d:\\bin\\ia\\core\\mdm_util.exe"= TCP:d:\bin\ia\core\mdm_util.exe:MDM_Util
"TCP Query User{0D128B96-D464-4150-A799-D589C8C70EF1}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{32A39DD7-4183-4732-9C70-41DC9FF7A480}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{7DFE7B82-1EE4-46B1-A76C-B5762BFE1B3A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{5F6397E8-3059-41CC-933F-33BCEDFF3814}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{2B07C54C-7540-4D64-99C6-15AE22356C97}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{035DF60C-3D05-4AB5-AA63-6B074BFB4888}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{82C504C6-AD37-4FE8-A201-276356F436CF}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D0FBFD96-3995-4EF4-834A-D8E2AC786064}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"TCP Query User{1EE2577D-3E56-4E5D-8D42-7083961704B9}c:\\windows\\system32\\electricsheep. scr"= UDP:c:\windows\system32\electricsheep.scr:Electric Sheep
"UDP Query User{4F59BBA3-AC0F-4D28-BBBE-894536C574D8}c:\\windows\\system32\\electricsheep. scr"= TCP:c:\windows\system32\electricsheep.scr:Electric Sheep
"{F2780BB7-DD0B-4373-B3EA-074824BD286A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{79B6208C-C132-4958-A4BD-FA46C5021445}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{8AE42706-CA9B-4B86-9AF5-ED7DAA0EC740}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"UDP Query User{97605D24-A4DF-44CA-A1C3-F77F41522662}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"{BEFD5EAE-04E1-485A-B11F-C7F816DB6737}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{891409F8-1B39-4402-99AA-252E62552301}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{C3278A9E-094B-478C-975E-17231A85B378}c:\\users\\celina\\desktop\\utorrent. exe"= UDP:c:\users\celina\desktop\utorrent.exe:utorrent. exe
"UDP Query User{25AC92F1-5A22-4C3D-8397-1B27AE696F8A}c:\\users\\celina\\desktop\\utorrent. exe"= TCP:c:\users\celina\desktop\utorrent.exe:utorrent. exe
"TCP Query User{1F650CBA-D595-4452-89AF-F2151E3CAB9E}c:\\users\\celina\\desktop\\utorrent. exe"= UDP:c:\users\celina\desktop\utorrent.exe:utorrent. exe
"UDP Query User{52C9CBBA-2280-4DC8-8D75-9642935C742D}c:\\users\\celina\\desktop\\utorrent. exe"= TCP:c:\users\celina\desktop\utorrent.exe:utorrent. exe
"{039ED056-B357-44BD-9364-CEE95602F9F8}"= UDP:c:\users\celina\AppData\Local\Temp\7zS72CE.tmp \SymNRT.exe:Norton Removal Tool
"{3A769D83-2311-40AD-8999-96FB52ED063A}"= TCP:c:\users\celina\AppData\Local\Temp\7zS72CE.tmp \SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctg ntdi.sys [5/18/2009 9:42 PM 159600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/18/2009 9:50 PM 108289]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [12/25/2007 2:07 PM 40960]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\System32\drivers\PCTAppEvent.sys [5/18/2009 9:42 PM 73840]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 5:03 PM 126976]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [5/5/2009 8:00 PM 604416]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\System32\drivers\libusb0.sys [3/20/2009 7:52 PM 28672]
R3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplf w.sys [5/18/2009 9:42 PM 95640]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - PCTAPPEVENT
*NewlyCreated* - PCTGNTDI
*NewlyCreated* - PCTPLFW
*NewlyCreated* - SSMDRV

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\users\celina\AppData\Roaming\Mozilla\Firefox\Pr ofiles\jfo260ew.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&o rig=IMC-FF&qry=

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-19 16:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5408)
c:\program files\WinSCP\DragExt.dll
.
Completion time: 2009-05-19 16:19
ComboFix-quarantined-files.txt 2009-05-19 23:19
ComboFix2.txt 2009-05-19 04:28
ComboFix3.txt 2009-05-18 23:00

Pre-Run: 78,457,614,336 bytes free
Post-Run: 78,099,353,600 bytes free

396 --- E O F --- 2009-05-19 10:03

And the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:24 PM, on 5/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11155 bytes

broni · #12 (**permalink**) 20-05-2009, 12:49 AM

Everything looks much better....

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

See, if Superantispyware, and Malwarebytes will run now. Make sure to update them before running.
Post their logs along with fresh HJT log.

jontomtom · #13 (**permalink**) 21-05-2009, 03:26 AM

MalwareBytes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 6.0.6001 Service Pack 1

5/20/2009 5:51:59 PM
mbam-log-2009-05-20 (17-51-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227352
Time elapsed: 2 hour(s), 36 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{331cf7ad-4ff8-47f8-bbfb-04eed85c4652} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{51c0946f-938e-4909-a128-8a2f688df31a} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f32d7d45-1750-48da-9cac-c6216972bb33} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\Windows\System32\ConTest. dll (Adware.Ascentive) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\Windows\System32\SysResto re.dll (Adware.Ascentive) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ConTest.dll (Adware.Ascentive) -> No action taken.
C:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> No action taken.

SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 05/20/2009 at 06:33 PM

Application Version : 4.26.1002

Core Rules Database Version : 3902
Trace Rules Database Version: 1848

Scan type : Complete Scan
Total Scan Time : 00:35:44

Memory items scanned : 720
Memory threats detected : 0
Registry items scanned : 7545
Registry threats detected : 0
File items scanned : 22036
File threats detected : 6

Adware.Tracking Cookie
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\celina@atdmt[2].txt
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\Low\celina@doubleclick[1].txt
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\Low\celina@ads.pointroll[1].txt
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\Low\celina@atdmt[2].txt
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\Low\celina@questionmarket[1].txt
C:\Users\celina\AppData\Roaming\Microsoft\Windows\ Cookies\Low\celina@msnportal.112.2o7[1].txt

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:45 PM, on 5/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\Explorer.EXE
C:\Users\celina\Desktop\uTorrent.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UniblueSpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe -minimize
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11495 bytes

I also did everything the programs told me to do (if thats important to know)
And everything seems to be back to normal :]
Thank you so much!

broni · #14 (**permalink**) 21-05-2009, 03:40 AM

We're not done yet, but we're close

Your Malwarebytes log says No action taken after each line, so you either didn't click on Remove Selected button, or you posted the log from BEFORE fixes. Post correct log, or re-run Bytes.
If you have to re-run Bytes, post fresh HJT log.

jontomtom · #15 (**permalink**) 21-05-2009, 04:20 AM

yea i posted the Before log so heres the new one:

Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 6.0.6001 Service Pack 1

5/20/2009 5:52:38 PM
mbam-log-2009-05-20 (17-52-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 227352
Time elapsed: 2 hour(s), 36 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{331cf7ad-4ff8-47f8-bbfb-04eed85c4652} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51c0946f-938e-4909-a128-8a2f688df31a} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f32d7d45-1750-48da-9cac-c6216972bb33} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\Windows\System32\ConTest. dll (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\SharedDLLs\C:\Windows\System32\SysResto re.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\ConTest.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

broni · #16 (**permalink**) 21-05-2009, 04:28 AM

Excellent!

Your computer is clean

1. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Unselect Cookies.
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.

If you use Opera browser
Click Opera at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

7. Download, and install WOT (Web OF Trust): Internet Security | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

8. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

9. Let me know, how is your computer doing.

jontomtom · #17 (**permalink**) 21-05-2009, 05:35 AM

everything is working just fine :]
but after i did that last step, display settings (windows) were changed on the comp so the top of windows arent clear anymore and im not sure how to switch it back lol
and my internet isnt being displayed right - the page style is different (this site looks like this http://i184.photobucket.com/albums/x...Untitled-5.jpg)
how do i change it back?

broni · #18 (**permalink**) 21-05-2009, 05:50 AM

Did you restart computer?