Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

couldn't run MB, suspect rootkits

Started by cammac725, Aug 10 2009 01:51 AM

This topic is locked
Go to first unread post

11 replies to this topic

#1
cammac725

Posted 10 August 2009 - 01:51 AM

New Member

Members
14 posts

Hi

I'm running Vista 32-bit Home Premium on a Toshiba laptop. I couldn't run MalwareBytes, HijackThis, or other programs for a while. I had connectivity issues as well.

I finally was able to run UnHackMe from partizan and it cleaned up some things. I can now run MWB and after quick and full-scans, it found and removed many items.

I am still getting problems that I believe are rootkit related.

What can I provide for you that would help to diagnose this problem.

Thanks for your help.

Cam

#2
SpySentinel

Posted 10 August 2009 - 01:55 AM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

Hi Cam, Welcome to Malwarebytes

Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)
  - Primary Mirror
  - Secondary Mirror
  - Secondary Mirror
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive.
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Matt Russo
Social Media Specialist

#3
cammac725

Posted 10 August 2009 - 02:48 AM

New Member

Members
14 posts

Thanks for the reply!

Here is my RootRepealreport.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 19:31
Program Version: Version 1.3.3.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: 耀
Image Path: 耀
Address: 0x97CCE000 Size: 172032 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: bowser
Image Path: \FileSystem\bowser
Address: 0x97DDB000 Size: 102400 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: cdfs
Image Path: \FileSystem\cdfs
Address: 0x999DA000 Size: 90112 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8F468000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F45D000 Size: 45056 File Visible: No Signed: -
Status: -

Name: mrxsmb
Image Path: \FileSystem\mrxsmb
Address: 0x99803000 Size: 126976 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: mrxsmb10
Image Path: \FileSystem\mrxsmb10
Address: 0x99822000 Size: 233472 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: mrxsmb20
Image Path: \FileSystem\mrxsmb20
Address: 0x9985B000 Size: 98304 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9858A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: secdrv
Image Path: \Driver\secdrv
Address: 0x999C4000 Size: 40960 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: srv2
Image Path: \FileSystem\srv2
Address: 0x99873000 Size: 159744 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: �
Image Path: �
Address: 0x97CF8000 Size: 40960 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 　㨀㈀㌀㨀㘀㤀㨀䄀䄀㨀　㔀㨀㤀㤀㠀　㈀⸀㄀㄀最圀倀䄀㈀ⴀ倀攀爀猀漀渀愀氀䄀䔀匀
Image Path: 　㨀㈀㌀㨀㘀㤀㨀䄀䄀㨀　㔀㨀㤀㤀㠀　㈀⸀㄀㄀最圀倀䄀㈀ⴀ倀攀爀猀漀渀愀氀䄀䔀匀
Address: 0x999CE000 Size: 49152 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: ㄀㄀最伀瀀攀渀一漀渀攀
Image Path: ㄀㄀最伀瀀攀渀一漀渀攀
Address: 0x97D4A000 Size: 33152 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: ㌀㨀㘀㤀㨀䄀䄀㨀　㔀㨀㤀㤀吀栀攀漀瀀攀爀愀琀椀漀渀猀甀挀挀攀攀搀猀⸀
Image Path: ㌀㨀㘀㤀㨀䄀䄀㨀　㔀㨀㤀㤀吀栀攀漀瀀攀爀愀琀椀漀渀猀甀挀挀攀攀搀猀⸀
Address: 0x998E6000 Size: 909312 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 㭀h᥁ǊӼ
Image Path: 㭀h᥁ǊӼ
Address: 0x97CBE000 Size: 65536 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 䄀㨀㜀㤀㨀㐀㘀Ȁ
Image Path: 䄀㨀㜀㤀㨀㐀㘀Ȁ
Address: 0x97DBE000 Size: 118784 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 挀漀渀渀攀挀琀椀漀渀眀椀琀栀愀瀀爀漀昀椀氀攀猀琀攀瘀攀猀琀攀瘀攀䤀渀
Image Path: 挀漀渀渀攀挀琀椀漀渀眀椀琀栀愀瀀爀漀昀椀氀攀猀琀攀瘀攀猀琀攀瘀攀䤀渀
Address: 0x97D53000 Size: 438272 File Visible: No Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2fcfac44-4a88-11de-927c-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{35197732-3f2e-11de-8644-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{35197785-3f2e-11de-8644-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e7d06c17-8549-11de-9b6e-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{eaef17f8-4045-11de-aff3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fb9bdb29-49c7-11de-aaf2-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{654a0de8-8549-11de-a232-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7b066858-853a-11de-8a3a-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c9a6cb95-4114-11de-9cc3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c9a6cba0-4114-11de-9cc3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c9a6cba9-4114-11de-9cc3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c9a6cbb4-4114-11de-9cc3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c9a6cbc0-4114-11de-9cc3-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5e0-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{384ceed2-8546-11de-bce1-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d57b-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d582-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5a3-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5aa-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5c5-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5cc-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5d8-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5ed-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5f5-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d5fe-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d60f-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d617-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d61d-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3987d627-31da-11de-9418-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{51e2d958-8534-11de-a266-001e33577ffe}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588
43c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003
bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850
4d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d
d7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c
e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab
ac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c
2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c
0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d
f268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a
620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd
a6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053
e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc
0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d
131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\a2f948df89c5a4090fb47a74b09ed39300f3a2d09a1cd13212bee8c7ee928959.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\f8209ee440679adcdab198fe5262dd5ff95c1d654f488816d0f33c8a45d5e8d8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\3582cf91bea0e0e7b5f4b8a168a2e4bf248a01f764aa3c5d7c4f352ebc681e9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\9f4b272407008a230979f286064e895aa72cac13cd57d536a67ea34c9dd91a2c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\f3c343567eb07e928a24a5c8b8bf732a5523d0acd4762015ba309f48255a5baf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\5effcbd6bfe308cd94c31922a126a132ef26282a495f9fc0963000a8e158d866.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Manifests\70f19edeeb8e3329aad18f744094ea0319d2ecc78dd6a12559a1e765c42418f7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.1638
6_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Locked to the Windows API!

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1316 Status: Locked to the Windows API!

==EOF==

#4
SpySentinel

Posted 10 August 2009 - 08:08 PM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

You're welcome.

Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Matt Russo
Social Media Specialist

#5
cammac725

Posted 11 August 2009 - 12:00 AM

New Member

Members
14 posts

Here is the Combo-Fix log.

I had to transfer the log.txt to another computer because I couldn't start IE after running Combo-Fix. I get an error:

"Illegal operation attempted on a registry key that has been marked for deletion."

I get the same error when trying to run "notepad.exe".

Anyway, here is the log output:

ComboFix 09-08-10.01 - Ryan R & Hannah R 08/10/2009 16:34.1.2 - NTFSx86
Microsoft� Windows Vista� Home Premium 6.0.6001.1.1252.1.1033.18.2941.1882 [GMT -7:00]
Running from: c:\users\Ryan R & Hannah R\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 23:46 . 2009-08-10 23:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-10 23:46 . 2009-08-10 23:46 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-08-10 23:26 . 2009-08-10 23:26 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb147B.tmp.exe
2009-08-10 08:00 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-08-10 08:00 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-10 08:00 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-08-10 08:00 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-08-10 08:00 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-08-10 08:00 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-08-10 08:00 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-08-10 07:50 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-08-10 07:50 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-08-10 07:50 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-08-10 07:50 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-08-10 07:50 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-08-10 06:53 . 2009-08-10 06:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-10 06:03 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-10 06:03 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-10 06:03 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-10 06:03 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-10 06:03 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-10 06:02 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-10 06:02 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-10 06:02 . 2009-08-10 06:02 -------- d-----w- c:\program files\Alwil Software
2009-08-10 03:25 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-10 03:25 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-10 02:54 . 2009-04-21 11:55 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-08-10 02:54 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-08-10 02:54 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-10 02:54 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-10 02:54 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-10 02:54 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-10 02:54 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-08-09 22:27 . 2009-08-09 22:27 2 --shatr- c:\windows\winstart.bat
2009-08-09 22:27 . 2009-08-10 07:30 -------- d-----w- c:\program files\UnHackMe
2009-08-09 22:16 . 2009-08-09 22:16 -------- d-----w- c:\users\Administrator\AppData\Local\Toshiba
2009-08-09 22:07 . 2009-08-09 22:07 -------- d-----w- c:\program files\Trend Micro
2009-08-09 22:04 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 22:04 . 2009-08-09 22:04 -------- d-----w- c:\programdata\Malwarebytes
2009-08-09 22:04 . 2009-08-09 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 22:04 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 21:46 . 2009-03-19 23:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-09 21:46 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-09 21:46 . 2009-08-09 21:46 -------- d-----w- c:\program files\iPod
2009-08-09 21:46 . 2009-08-09 21:46 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-09 21:46 . 2009-08-09 21:46 -------- d-----w- c:\program files\iTunes
2009-08-09 21:44 . 2009-08-09 21:44 -------- d-----w- c:\program files\Bonjour
2009-08-09 21:42 . 2009-08-09 21:43 -------- d-----w- c:\program files\QuickTime
2009-08-09 21:37 . 2009-08-09 21:37 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 08:11 . 2009-08-10 08:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-08-10 06:53 . 2008-02-13 06:11 -------- d-----w- c:\program files\Java
2009-08-10 05:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-10 01:02 . 2008-02-13 06:06 -------- d-----w- c:\programdata\Symantec
2009-08-10 01:02 . 2008-02-13 06:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-10 00:35 . 2009-07-02 06:50 -------- d-----w- c:\programdata\11140564
2009-08-09 22:15 . 2009-08-09 22:15 112408 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-09 21:50 . 2009-06-10 01:28 -------- d-sh--w- c:\users\Ryan R & Hannah R\AppData\Roaming\lowsec
2009-08-09 21:46 . 2008-09-21 23:41 -------- d-----w- c:\program files\Common Files\Apple
2009-08-06 01:30 . 2008-09-21 22:12 -------- d-----w- c:\users\Ryan R & Hannah R\AppData\Roaming\LimeWire
2009-07-18 16:06 . 2009-08-10 02:53 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-08-10 02:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-08-10 02:53 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-05-25 13:50 . 2009-05-25 13:50 164864 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2008-09-21 05:48 . 2008-09-21 05:48 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-09-21 05:48 . 2008-09-21 05:48 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TRCMan"="c:\program files\TOSHIBA\TRCMan\TRCMan.exe" [2008-01-11 692224]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-21 29744]
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe" [2007-12-14 143360]
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe" [2008-02-14 184320]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-10 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{806D78B3-015C-4722-9DB5-A35C81FBB93D}"= c:\program files\CyberLink\PowerCinema for TOSHIBA\PowerCinema.exe:CyberLink PowerCinema
"{D65BA80A-4847-49F9-8154-3AAD5008E39B}"= c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMService.exe:CyberLink PowerCinema Resident Program
"{FB9826A3-C8DD-40FC-8CA4-24624870C415}"= c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{7DE3F918-8D69-41D4-99C3-88D389826E89}"= c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{E2F86649-63F6-4459-A568-80538F5C9416}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{ADEC6DA1-2149-41FA-89AF-1E0A5AF9F1EC}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{48A04C21-C5A3-497C-887C-024CC309C97E}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{FDB726B5-E6A2-4EDA-A704-E23FCCC7C0CD}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9E989F25-B34B-4632-8CEA-61F0CB7E1A15}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{EFFA6095-3ACC-41C0-9A69-A34264F126B3}c:\\windows\\explorer.exe"= UDP:c:\windows\explorer.exe:Windows Explorer
"UDP Query User{73B7A4C7-8C1C-4E4F-A12C-8A6445BAF543}c:\\windows\\explorer.exe"= TCP:c:\windows\explorer.exe:Windows Explorer
"{9F61F8D3-FE1B-42E2-B814-47DA948B5ED0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F446C895-A8BC-4BBC-A854-39FADA42C76B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{49D44EEB-8F84-4D9F-97B7-EF89567DE63D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{525EEEF9-A23B-4506-B147-B41C0A812777}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/9/2009 11:03 PM 114768]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [6/4/2008 1:32 AM 20352]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/9/2009 11:03 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/9/2009 11:02 PM 51792]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [12/25/2007 2:07 PM 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 5:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2/12/2008 10:46 PM 7168]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/12/2008 11:21 PM 29744]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [6/4/2008 1:32 AM 937984]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 16:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\RYANR&~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-08-10 16:52
ComboFix-quarantined-files.txt 2009-08-10 23:52

Pre-Run: 139,090,296,832 bytes free
Post-Run: 139,022,548,992 bytes free

181 --- E O F --- 2009-08-10 23:30

#6
SpySentinel

Posted 11 August 2009 - 12:04 AM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

Hi cammac725,

Launch Malwarebytes' Anti-Malware

If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Matt Russo
Social Media Specialist

#7
cammac725

Posted 11 August 2009 - 05:24 AM

New Member

Members
14 posts

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/10/2009 10:22:21 PM
mbam-log-2009-08-10 (22-22-21).txt

Scan type: Quick Scan
Objects scanned: 89158
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareRemover2009 (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\cleaner2009 freeware (Rogue.Cleaner2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8
SpySentinel

Posted 11 August 2009 - 08:33 PM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Matt Russo
Social Media Specialist

#9
cammac725

Posted 11 August 2009 - 09:12 PM

New Member

Members
14 posts

Logfile of random's system information tool 1.06 (written by random/random)
Run by Ryan R & Hannah R at 2009-08-11 14:08:27
Microsoft� Windows Vista� Home Premium Service Pack 1
System drive C: has 133 GB (70%) free of 189 GB
Total RAM: 2941 MB (62% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:52 PM, on 8/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\TRCMan\TRCMan.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Ryan R & Hannah R\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ryan R & Hannah R.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TRCMan] C:\Program Files\TOSHIBA\TRCMan\TRCMan.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8769 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-08-09 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-08-10 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-07-12 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-04-24 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-08-10 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-29 4911104]
"TRCMan"=C:\Program Files\TOSHIBA\TRCMan\TRCMan.exe [2008-01-11 692224]
"Camera Assistant Software"=C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [2007-10-25 413696]
"TPwrMain"=C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [2008-01-17 431456]
"HSON"=C:\Program Files\TOSHIBA\TBS\HSON.exe [2007-10-31 54608]
"SmoothView"=C:\Program Files\Toshiba\SmoothView\SmoothView.exe [2007-06-15 448080]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"ITSecMng"=C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [2007-09-28 75136]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-08-14 1348904]
"NDSTray.exe"=NDSTray.exe []
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-21 29744]
"PCMAgent"=C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe [2007-12-13 143360]
"CLMLServer"=C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe [2008-02-14 184320]
"00TCrdMain"=C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [2008-01-22 712704]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-09 149280]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-01-04 39408]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-20 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\TOSHIBA\ivp\NetInt\Netint.exe"="C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\TOSHIBA\Ivp\ISM\pinger.exe"="C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-08-11 14:08:27 ----D---- C:\rsit
2009-08-10 22:14:50 ----D---- C:\Users\Ryan R & Hannah R\AppData\Roaming\Malwarebytes
2009-08-10 16:52:45 ----SHD---- C:\$RECYCLE.BIN
2009-08-10 16:52:35 ----A---- C:\ComboFix.txt
2009-08-10 16:32:07 ----A---- C:\Windows\zip.exe
2009-08-10 16:32:07 ----A---- C:\Windows\SWXCACLS.exe
2009-08-10 16:32:07 ----A---- C:\Windows\SWSC.exe
2009-08-10 16:32:07 ----A---- C:\Windows\SWREG.exe
2009-08-10 16:32:07 ----A---- C:\Windows\sed.exe
2009-08-10 16:32:07 ----A---- C:\Windows\PEV.exe
2009-08-10 16:32:07 ----A---- C:\Windows\NIRCMD.exe
2009-08-10 16:32:07 ----A---- C:\Windows\grep.exe
2009-08-10 16:31:42 ----D---- C:\Qoobox
2009-08-10 01:00:53 ----A---- C:\Windows\system32\infocardapi.dll
2009-08-10 01:00:51 ----A---- C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-10 01:00:48 ----A---- C:\Windows\system32\icardres.dll
2009-08-10 01:00:48 ----A---- C:\Windows\system32\icardagt.exe
2009-08-10 01:00:47 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2009-08-10 01:00:42 ----A---- C:\Windows\system32\PresentationNative_v0300.dll
2009-08-10 01:00:34 ----A---- C:\Windows\system32\PresentationHost.exe
2009-08-10 00:50:37 ----A---- C:\Windows\system32\dfshim.dll
2009-08-10 00:50:32 ----A---- C:\Windows\system32\mscoree.dll
2009-08-10 00:50:31 ----A---- C:\Windows\system32\netfxperf.dll
2009-08-10 00:50:14 ----A---- C:\Windows\system32\mscorier.dll
2009-08-10 00:50:03 ----A---- C:\Windows\system32\mscories.dll
2009-08-09 23:53:58 ----A---- C:\Windows\system32\javaws.exe
2009-08-09 23:53:58 ----A---- C:\Windows\system32\javaw.exe
2009-08-09 23:53:58 ----A---- C:\Windows\system32\java.exe
2009-08-09 23:53:58 ----A---- C:\Windows\system32\deploytk.dll
2009-08-09 23:38:55 ----D---- C:\Windows\ERDNT
2009-08-09 23:02:24 ----A---- C:\Windows\system32\aswBoot.exe
2009-08-09 23:02:21 ----D---- C:\Program Files\Alwil Software
2009-08-09 21:46:46 ----A---- C:\Windows\system32\MRT.INI
2009-08-09 20:25:10 ----A---- C:\Windows\system32\EncDec.dll
2009-08-09 20:25:09 ----A---- C:\Windows\system32\psisdecd.dll
2009-08-09 19:54:33 ----A---- C:\Windows\system32\t2embed.dll
2009-08-09 19:54:33 ----A---- C:\Windows\system32\fontsub.dll
2009-08-09 19:54:32 ----A---- C:\Windows\system32\dciman32.dll
2009-08-09 19:54:32 ----A---- C:\Windows\system32\atmfd.dll
2009-08-09 19:54:29 ----A---- C:\Windows\system32\rpcrt4.dll
2009-08-09 19:54:01 ----A---- C:\Windows\system32\localspl.dll
2009-08-09 19:53:53 ----A---- C:\Windows\system32\occache.dll
2009-08-09 19:53:53 ----A---- C:\Windows\system32\mshtml.dll
2009-08-09 19:53:51 ----A---- C:\Windows\system32\ieframe.dll
2009-08-09 19:53:49 ----A---- C:\Windows\system32\urlmon.dll
2009-08-09 19:53:48 ----A---- C:\Windows\system32\wininet.dll
2009-08-09 19:53:48 ----A---- C:\Windows\system32\msfeeds.dll
2009-08-09 19:53:48 ----A---- C:\Windows\system32\iertutil.dll
2009-08-09 19:53:48 ----A---- C:\Windows\system32\iedkcs32.dll
2009-08-09 19:53:47 ----A---- C:\Windows\system32\ieUnatt.exe
2009-08-09 19:53:47 ----A---- C:\Windows\system32\ieencode.dll
2009-08-09 19:53:47 ----A---- C:\Windows\system32\ieaksie.dll
2009-08-09 19:53:46 ----A---- C:\Windows\system32\mstime.dll
2009-08-09 19:53:46 ----A---- C:\Windows\system32\jsproxy.dll
2009-08-09 19:44:08 ----A---- C:\RootRepeal report 08-09-09 (19-44-08).txt
2009-08-09 18:43:46 ----A---- C:\RootRepeal report 08-09-09 (18-43-46).txt
2009-08-09 16:21:53 ----A---- C:\Windows\system32\Reslog.txt
2009-08-09 15:31:58 ----A---- C:\Windows\Partizan.txt
2009-08-09 15:31:17 ----A---- C:\Windows\system32\PARTIZAN.TXT
2009-08-09 15:27:55 ----RASHOT---- C:\Windows\winstart.bat
2009-08-09 15:27:10 ----D---- C:\Program Files\UnHackMe
2009-08-09 15:07:25 ----D---- C:\Program Files\Trend Micro
2009-08-09 15:04:51 ----D---- C:\ProgramData\Malwarebytes
2009-08-09 15:04:50 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-09 14:46:48 ----A---- C:\Windows\system32\GEARAspi.dll
2009-08-09 14:46:21 ----D---- C:\Program Files\iPod
2009-08-09 14:46:15 ----D---- C:\ProgramData\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-09 14:46:15 ----D---- C:\Program Files\iTunes
2009-08-09 14:44:07 ----D---- C:\Program Files\Bonjour
2009-08-09 14:42:53 ----D---- C:\Program Files\QuickTime

======List of files/folders modified in the last 1 months======

2009-08-11 14:08:52 ----D---- C:\Windows\winsxs
2009-08-11 14:08:30 ----D---- C:\Windows\Temp
2009-08-10 22:18:20 ----AD---- C:\Windows\System32
2009-08-10 22:18:20 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-08-10 22:18:19 ----D---- C:\Windows\inf
2009-08-10 22:12:17 ----D---- C:\Windows\system32\WDI
2009-08-10 17:11:30 ----D---- C:\Windows\Microsoft.NET
2009-08-10 17:11:15 ----RSD---- C:\Windows\assembly
2009-08-10 16:52:51 ----D---- C:\Windows\system32\en-US
2009-08-10 16:47:07 ----D---- C:\Windows
2009-08-10 16:47:07 ----A---- C:\Windows\system.ini
2009-08-10 16:40:44 ----D---- C:\Windows\system32\drivers
2009-08-10 16:40:44 ----D---- C:\Windows\AppPatch
2009-08-10 16:40:41 ----D---- C:\Program Files\Common Files
2009-08-10 16:39:53 ----SHD---- C:\System Volume Information
2009-08-10 16:39:02 ----D---- C:\Windows\rescache
2009-08-10 16:30:32 ----SHD---- C:\Windows\Installer
2009-08-10 01:11:58 ----D---- C:\Windows\system32\XPSViewer
2009-08-10 01:11:58 ----D---- C:\Windows\system32\wbem
2009-08-10 01:10:40 ----D---- C:\Windows\system32\catroot
2009-08-10 01:04:39 ----D---- C:\Windows\system32\catroot2
2009-08-10 00:30:44 ----RD---- C:\Program Files
2009-08-10 00:30:44 ----D---- C:\Windows\Tasks
2009-08-09 23:53:59 ----D---- C:\Windows\Prefetch
2009-08-09 23:53:11 ----D---- C:\Program Files\Java
2009-08-09 23:20:15 ----D---- C:\Windows\Debug
2009-08-09 22:36:44 ----D---- C:\Windows\ehome
2009-08-09 22:36:43 ----D---- C:\Program Files\Windows Mail
2009-08-09 22:36:42 ----D---- C:\Program Files\Internet Explorer
2009-08-09 18:02:06 ----D---- C:\ProgramData\Symantec
2009-08-09 18:02:06 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-08-09 18:00:04 ----HD---- C:\ProgramData
2009-08-09 17:35:50 ----D---- C:\ProgramData\11140564
2009-08-09 15:15:08 ----RD---- C:\Users
2009-08-09 14:50:16 ----SHD---- C:\Users\Ryan R & Hannah R\AppData\Roaming\lowsec
2009-08-09 14:46:48 ----DC---- C:\Windows\system32\DRVSTORE
2009-08-09 14:46:19 ----D---- C:\Program Files\Common Files\Apple
2009-08-05 18:30:52 ----D---- C:\Users\Ryan R & Hannah R\AppData\Roaming\LimeWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2009-02-05 23152]
R1 aswSP;avast! Self Protection; C:\Windows\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 jswpslwf;JumpStart Wireless Filter Driver; C:\Windows\system32\DRIVERS\jswpslwf.sys [2007-08-31 20352]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMonFlt;aswMonFlt; C:\Windows\system32\DRIVERS\aswMonFlt.sys [2009-02-05 51792]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-28 1161888]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-07-29 919552]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 2929664]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 FwLnk;FwLnk Driver; C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-03-19 23400]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-30 2058528]
R3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2009-05-25 164864]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-20 88576]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-08-14 203312]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver; C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 16128]
R3 usbvideo;Chicony USB 2.0 Camera; C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
R3 UVCFTR;UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [2007-12-17 18432]
S3 catchme;catchme; \??\C:\Users\RYANR&~1\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 FTDIBUS;USB Serial Converter Driver; C:\Windows\system32\drivers\ftdibus.sys [2006-05-18 47249]
S3 FTSER2K;USB Serial Port Driver; C:\Windows\system32\drivers\ftser2k.sys [2006-05-18 61067]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 Tosrfcom;Tosrfcom; C:\Windows\system32\drivers\Tosrfcom.sys []
S3 tosrfec;Bluetooth ACPI; C:\Windows\system32\DRIVERS\tosrfec.sys [2006-10-23 9216]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-09-10 32000]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-20 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 KR10I;KR10I; C:\Windows\system32\drivers\kr10i.sys [2006-11-08 219264]
S4 KR10N;KR10N; C:\Windows\system32\drivers\kr10n.sys [2006-11-08 211072]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2006-10-05 9216]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-07-27 610304]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ConfigFree Service;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
R2 pinger;pinger; C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 136816]
R2 Swupdtmr;Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [2007-10-23 66928]
R2 TNaviSrv;TOSHIBA Navi Support Service; C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [2008-01-21 83312]
R2 TODDSrv;TOSHIBA Optical Disc Drive Service; C:\Windows\system32\TODDSrv.exe [2007-11-21 129632]
R2 TosCoSrv;TOSHIBA Power Saver; C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe [2008-01-17 431456]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service; C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-09-28 128360]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2006-08-23 49152]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 GameConsoleService;GameConsoleService; C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe [2007-09-24 181784]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-21 29744]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-25 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 jswpsapi;Jumpstart Wifi Protected Setup; C:\Program Files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2009-08-11 14:08:58

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
-->"C:\Program Files\TOSHIBA Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\FATE\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Mah Jong Quest\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Mystery P.I. - The Lottery Ticket\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Sea Life Safari\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\Uninstall.exe"
-->"C:\Program Files\TOSHIBA Games\Virtual Villagers - A New Home\Uninstall.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
2007 Microsoft Office system-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}
Adobe Media Player-->MsiExec.exe /X{95264530-5A22-8E7E-FE9D-D63A927BCAEA}
Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
Atheros Wi-Fi Protected Setup Library-->C:\Program Files\InstallShield Installation Information\{B0BCDCBD-863D-4CAB-BF68-8D1F6B1BDC13}\setup.exe -runfromtemp -l0x0009 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bluetooth Stack for Windows by Toshiba-->MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Cabela's Big Game Hunter-->MsiExec.exe /I{A201AB41-F4B1-42BD-AF91-316C88477744}
Camera Assistant Software for Toshiba-->C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe -runfromtemp -l0x0009
Catalyst Control Center - Branding-->MsiExec.exe /I{D58A1E94-9EEA-4C6E-B9FB-D7C63DC6C941}
CD/DVD Drive Acoustic Silencer-->C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe -runfromtemp -l0x0009 -removeonly
CROME 1.2-->"C:\Program Files\CROME\unins000.exe"
CyberLink PowerCinema for TOSHIBA-->"C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" /z-uninstall
DVD MovieFactory for TOSHIBA-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\setup.exe" -l0x9
FTDI USB Serial Converter Drivers-->C:\Windows\system32\ftdiunin.exe C:\Windows\system32\ftdiun2k.ini
GearDrvs-->MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Hex Workshop-->C:\Windows\uninst.exe -f"C:\Program Files\Hex Workshop\DeIsL1.isu"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
LimeWire PRO 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Memeo AutoBackup-->C:\Program Files\InstallShield Installation Information\{03240EBA-04F2-4652-BC7F-B055902BDCD3}\setup.exe -runfromtemp -l0x0409
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007-->MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Moates Flash & Burn-->"C:\Program Files\Flash N Burn\unins000.exe"
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Napster-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9 -removeonly
Norton 360-->MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
QuickBooks Financial Center-->MsiExec.exe /I{890EF3F8-742F-46BD-9E8E-084B3A1F4364}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
Security Update for Windows Media Encoder (KB954156)-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E} MSIPATCHREMOVE={E836F1B7-43FB-46B0-A0D9-E4D2A5951659} /qb
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TOSHIBA Assist-->C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA ConfigFree-->MsiExec.exe /X{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}
TOSHIBA Disc Creator-->MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER-->C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center-->C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Face Recognition-->"C:\Program Files\InstallShield Installation Information\{C730E42C-935A-45BB-A0C5-37E5234D111B}\setup.exe" -runfromtemp -l0x0409 -removeonly
TOSHIBA Face Recognition-->MsiExec.exe /I{C730E42C-935A-45BB-A0C5-37E5234D111B}
TOSHIBA Games-->"C:\Program Files\TOSHIBA Games\Uninstall.exe"
TOSHIBA Hardware Setup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2883F6F5-0509-43F3-868C-D50330DD9DD3}\setup.exe" -l0x9
Toshiba Registration-->MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
TOSHIBA Remote Control Manager-->C:\Program Files\InstallShield Installation Information\{FEB650EB-7639-444E-9FC2-C33EE6ED1A37}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA SD Memory Utilities-->MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem-->Tosmreg -U
TOSHIBA Software Upgrades-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe" -l0x9 -removeonly
TOSHIBA Speech System Applications-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4B1E87C3-00DE-4898-8E39-E390AAEF2391}\setup.exe" -l0x9
TOSHIBA Value Added Package-->C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
TunerPro v4.14-->"C:\Program Files\TunerPro\unins000.exe"
Update for Office 2007 (KB934528)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {2B939677-2FFD-48F6-9075-7BF48CB87C80}
Update for Office System 2007 Setup (KB929722)-->msiexec /package {91120000-0031-0000-0000-0000000FF1CE} /uninstall {D8E9BEBD-655F-467D-8176-CA9959C140A3}
Version 2.50r12-->"C:\Program Files\nemesis\unins000.exe"
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Ryan_Hannah
Event Code: 10010
Message: The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.
Record Number: 11779
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20081022045222.000000-000
Event Type: Error
User:

Computer Name: Ryan_Hannah
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 11811
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20081022143436.023478-000
Event Type: Error
User:

Computer Name: Ryan_Hannah
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00216330F6FD. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 11915
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20081023004822.000000-000
Event Type: Warning
User:

Computer Name: Ryan_Hannah
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00216330F6FD. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 11916
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20081023004822.000000-000
Event Type: Warning
User:

Computer Name: Ryan_Hannah
Event Code: 6008
Message: The previous system shutdown at 5:51:08 PM on 10/22/2008 was unexpected.
Record Number: 11931
Source Name: EventLog
Time Written: 20081023063720.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Ryan_Hannah
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-31382309-291872213-2470014690-1000_Classes:
Process 1068 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-31382309-291872213-2470014690-1000_CLASSES

Record Number: 7692
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090811050945.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Ryan_Hannah
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7709
Source Name: Microsoft-Windows-WMI
Time Written: 20090811051208.000000-000
Event Type: Error
User:

Computer Name: Ryan_Hannah
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-31382309-291872213-2470014690-1000:
Process 1044 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-31382309-291872213-2470014690-1000

Record Number: 7719
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090811055023.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Ryan_Hannah
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-31382309-291872213-2470014690-1000_Classes:
Process 1044 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-31382309-291872213-2470014690-1000_CLASSES

Record Number: 7720
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20090811055024.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Ryan_Hannah
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 7741
Source Name: Microsoft-Windows-WMI
Time Written: 20090811210456.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Ryan_Hannah
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 14116
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090811210850.215811-000
Event Type: Audit Failure
User:

Computer Name: Ryan_Hannah
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 14117
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090811210850.340611-000
Event Type: Audit Failure
User:

Computer Name: Ryan_Hannah
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 14118
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090811210850.449811-000
Event Type: Audit Failure
User:

Computer Name: Ryan_Hannah
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 14119
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090811210850.543411-000
Event Type: Audit Failure
User:

Computer Name: Ryan_Hannah
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 14120
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090811210850.652611-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 104 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6802
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

#10
SpySentinel

Posted 11 August 2009 - 09:51 PM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:

AntiVir Personal
AVG Free
AVAST!

PC Tools AntiVirus

Select one of these, or another of your choice. Download, install, and update definitions.

Also, how is your computer running?

Matt Russo
Social Media Specialist

#11
cammac725

Posted 11 August 2009 - 10:49 PM

New Member

Members
14 posts

...and that's it?? Thank you very much, SpySentinel!

It does have Avast, just never restarted after running ComboFix.

This is a friend's laptop; he never complained about how it was running until this infection.

Thanks again!

#12
SpySentinel

Posted 11 August 2009 - 10:51 PM

Forum Deity

Experts
1,848 posts

Gender:Male
Location:The United States
Interests:Fighting/Analyzing Malware & Social Media

You're welcome.

Your log looks clean, Great Job

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Now for some cleanup..
Please download OTC and save it to Desktop.

Please make sure you are connecting to the Internet
Double-click OTC.exe
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

No Firewall Onboard

You don't seem to have a firewall program installed. Using a firewall will allow you to allow/deny access for applications that want to go online. Select one of these, or another of your choice:
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
Install SpywareGuard - SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

McAfee Site Advisor <= McAfee Site Advisor protects your browser against malicious sites and warns you when you go to one.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Matt Russo
Social Media Specialist

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes

couldn't run MB, suspect rootkits

#1
cammac725

Posted 10 August 2009 - 01:51 AM

#2
SpySentinel

Posted 10 August 2009 - 01:55 AM

#3
cammac725

Posted 10 August 2009 - 02:48 AM

#4
SpySentinel

Posted 10 August 2009 - 08:08 PM

#5
cammac725

Posted 11 August 2009 - 12:00 AM

#6
SpySentinel

Posted 11 August 2009 - 12:04 AM

#7
cammac725

Posted 11 August 2009 - 05:24 AM

#8
SpySentinel

Posted 11 August 2009 - 08:33 PM

#9
cammac725

Posted 11 August 2009 - 09:12 PM

#10
SpySentinel

Posted 11 August 2009 - 09:51 PM

#11
cammac725

Posted 11 August 2009 - 10:49 PM

#12
SpySentinel

Posted 11 August 2009 - 10:51 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

Malwarebytes

couldn't run MB, suspect rootkits

#1 cammac725 Posted 10 August 2009 - 01:51 AM

#2 SpySentinel Posted 10 August 2009 - 01:55 AM

#3 cammac725 Posted 10 August 2009 - 02:48 AM

#4 SpySentinel Posted 10 August 2009 - 08:08 PM

#5 cammac725 Posted 11 August 2009 - 12:00 AM

#6 SpySentinel Posted 11 August 2009 - 12:04 AM

#7 cammac725 Posted 11 August 2009 - 05:24 AM

#8 SpySentinel Posted 11 August 2009 - 08:33 PM

#9 cammac725 Posted 11 August 2009 - 09:12 PM

#10 SpySentinel Posted 11 August 2009 - 09:51 PM

#11 cammac725 Posted 11 August 2009 - 10:49 PM

#12 SpySentinel Posted 11 August 2009 - 10:51 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

#1
cammac725

Posted 10 August 2009 - 01:51 AM

#2
SpySentinel

Posted 10 August 2009 - 01:55 AM

#3
cammac725

Posted 10 August 2009 - 02:48 AM

#4
SpySentinel

Posted 10 August 2009 - 08:08 PM

#5
cammac725

Posted 11 August 2009 - 12:00 AM

#6
SpySentinel

Posted 11 August 2009 - 12:04 AM

#7
cammac725

Posted 11 August 2009 - 05:24 AM

#8
SpySentinel

Posted 11 August 2009 - 08:33 PM

#9
cammac725

Posted 11 August 2009 - 09:12 PM

#10
SpySentinel

Posted 11 August 2009 - 09:51 PM

#11
cammac725

Posted 11 August 2009 - 10:49 PM

#12
SpySentinel

Posted 11 August 2009 - 10:51 PM