Jump to content

Recommended Posts

Please help. I've been trying to remove infection(s) without success.

i have attached the logs from DDS saying "possible TDL3 rootkit infection".

i just bought the paid version of MB yesterday and last night kept getting repeated attacks from about 10 different ip addresses (attached also).

2 days ago went round & round with a disabled desktop and task manager, went into safe mode repeatedly using fixer.exe, ESET, MB, numerous Hijackthis kills, and ended up doing a system restore which got it back to something resembling normal.

ESET online scanner and MB have found and quarantined a few dozen things but this is still obviously not fixed yet.

Any help would be greatly appreciated.

attack ip addresses051311.txt

Attach 051411.txt

Link to post
Share on other sites

Hi MySickComputer and Welcome to Malwarebytes!

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below

aswMBR_Scan-1.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review

Link to post
Share on other sites

Hi MySickComputer and Welcome to Malwarebytes!

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below

aswMBR_Scan-1.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review

Thanks Kenny94!

aswMBR 051411.txt log is attached for review.

aswMBR 051411.txt

Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4

aswMBR3.png

Save the log as before and post in your next reply

Link to post
Share on other sites

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

---------------------------------------------------------------------------------------------

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4

aswMBR3.png

Save the log as before and post in your next reply

aswMBR 051411 ii log is attached.

when i hit FIX it got locked up at "verifying disinfection" and required shut down by killing the power supply.

started back up just fine, ran aswMBR.exe again, hit scan, saved log.

aswMBR 051411 ii.txt

Link to post
Share on other sites

Hi

Okay, we still have some work to do.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi

Okay, we still have some work to do.

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

unable to run ComboFix due to AVG not being properly disabled... i followed the instructions given in that bleepingcomputer link, and then followed the combofix prompt to uninstall AVG which gave errors when attempted, please see attached screen shot

post-80598-0-56401200-1305400859.jpg

Link to post
Share on other sites

Download AppRemover and run it.

Click Next >>

appremover1.jpg

Ensure "Remove Security Application" is collected and click Next >>

appremover2.jpg

AppRemover will scan all the security applications on your PC

appremover3.jpg

Select Any AVG entries from the applications offered and click Next >> twice.

appremover4.jpg

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed

Link to post
Share on other sites

Download AppRemover and run it.

Click Next >>

appremover1.jpg

Ensure "Remove Security Application" is collected and click Next >>

appremover2.jpg

AppRemover will scan all the security applications on your PC

appremover3.jpg

Select Any AVG entries from the applications offered and click Next >> twice.

appremover4.jpg

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed

AppRemover worked.

combofix log is attached.

i was disconnected from internet while running it, prompted me to connect to download the ms recovery thing but didn't grab it after i was connected.

Should i run it again with the internet connected?

combofix log 051411.txt

Link to post
Share on other sites

Please use the ADD REPLY button when replying, thanks :) Smile we are getting closer. Good job you done there... :)

Dial-A-Fix might give you a lot errors, just ignore them and continue. Then run CFScript, but after you run Dial-A-Fix first.

  • Please download Dial-A-Fix from one of the following mirrors:

    [*]Extract the zip file to your desktop.

    [*]Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and ClickOK.jpg to continue.

    [*]Press the green double checkmark box (Looks like this:

    checkmark.png

    [*]UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    ncheck.png

    Window.png[*]

    [*]Click on Go

    [*]Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

    [*]Close Dial-A-Fix

Next

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::
Driver::
bfastfao
File::
c:\docume~1\PAULRU~1\LOCALS~1\Temp\bfastfao.sys
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
ReglockDel::
[HKEY_USERS\S-1-5-21-2533880093-1066840779-2804358638-1006\Software\Microsoft\SystemCertificates\AddressBook*]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Looks much better! You can install AVG. If your not happy with AVG? I use:

  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

There are some older versions of Java on your computer. These can be a source of this infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 25 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u125 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_25 from Sun Microsystems Inc.

-------------------------------------------------------------------

Next

Delete your copy of DDS from you desktop.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Link to post
Share on other sites

hey Kenny94, got the Java update done but it didn't match your "Java Version: 1.6.0_25" designation.

Please see attached screen shot of java update.

There was an ms update prompt i went ahead and installed after installing the latest java, also attached a screen shot of that somewhat suspicious looking process... idk, maybe i'm just paranoid.

post-80598-0-64603200-1305427948.jpg

post-80598-0-10629200-1305428131.jpg

Link to post
Share on other sites

"Instead of attaching, please copy/past both logs into your Thread"

DDS (Ver_11-03-05.01) - NTFSx86

Run by Paul Russell at 21:10:31.56 on Sat 05/14/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.233 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: McAfee Personal Firewall Plus *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Paul Russell\Desktop\dds.scr

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe

.

============== Pseudo HJT Report ===============

.

mSearch Bar = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\toscdspd.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Tvs] "c:\program files\toshiba\tvs\TvsTray.exe"

mRun: [TPSMain] TPSMain.exe

mRun: [THotkey] "c:\program files\toshiba\toshiba applet\thotkey.exe"

mRun: [synTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [smoothView] "c:\program files\toshiba\toshiba zooming utility\SmoothView.exe"

mRun: [Notebook Maximizer] c:\program files\notebook maximizer\maximizer_startup.exe

mRun: [NDSTray.exe] NDSTray.exe

mRun: [TFncKy] TFncKy.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

Trusted Zone: microsoft.com\www.update

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\paulru~1\applic~1\mozilla\firefox\profiles\taikida1.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\program files\windows media player\npatgpc.dll

.

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 16000

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 4095

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 1000000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 1000000

FF - user.js: dom.disable_window_status_change - true

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 1000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-14 11608]

R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2006-1-4 80640]

R1 SuperMounter;SuperMounter;c:\windows\system32\drivers\supermounter.sys [2009-3-14 11264]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-14 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-14 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-14 61960]

R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2006-1-11 137344]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-3-31 363344]

R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2006-1-11 12032]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-3-31 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-1 135664]

S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubVeo532.sys [2006-1-25 95232]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-1 135664]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2005-7-28 14336]

S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-1-5 126976]

S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-1-5 122368]

S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-7-28 245760]

.

=============== Created Last 30 ================

.

2011-05-15 02:41:20 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-15 02:04:58 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-15 02:04:57 -------- d-----w- c:\program files\Avira

2011-05-15 02:04:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-05-15 00:38:13 -------- d-sha-r- C:\cmdcons

2011-05-15 00:31:05 -------- d-----w- c:\windows\system32\CatRoot2

2011-05-15 00:24:31 -------- d--h--w- c:\program files\WindowsUpdate

2011-05-14 22:29:47 98816 ----a-w- c:\windows\sed.exe

2011-05-14 22:29:47 89088 ----a-w- c:\windows\MBR.exe

2011-05-14 22:29:47 256512 ----a-w- c:\windows\PEV.exe

2011-05-14 22:29:47 161792 ----a-w- c:\windows\SWREG.exe

2011-05-14 18:02:18 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BIT4.tmp

2011-05-14 18:02:16 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BIT3.tmp

2011-05-13 16:54:40 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{cbbd5efe-e8d6-47af-b163-26e699dc2cbb}\mpengine.dll

2011-05-13 16:52:57 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-13 16:52:57 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-13 05:25:08 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BITA.tmp

2011-05-13 05:25:08 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BIT7.tmp

2011-05-13 04:30:52 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BIT9.tmp

2011-05-13 04:30:51 0 ---ha-w- c:\docume~1\paulru~1\locals~1\applic~1\BIT8.tmp

2011-05-13 04:23:57 0 ----a-w- c:\windows\Xvitalegetek.bin

2011-05-10 22:24:02 -------- d-----w- c:\windows\system32\NtmsData

2011-05-08 17:18:44 -------- d-----w- c:\windows\ie8updates

2011-05-08 17:10:32 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-05-08 17:10:32 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-05-08 17:10:31 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-05-08 17:10:31 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-05-08 17:10:27 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-05-08 17:10:25 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-05-08 17:09:58 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll

2011-05-06 03:30:04 -------- d-----w- c:\program files\ATF

2011-05-04 03:56:18 -------- d-sh--w- c:\documents and settings\paul russell\PrivacIE

2011-05-04 03:53:58 -------- d-sh--w- c:\documents and settings\paul russell\IETldCache

2011-05-04 03:51:09 -------- d--h--w- c:\windows\msdownld.tmp

2011-05-04 03:49:10 -------- dc-h--w- c:\windows\ie8

2011-05-01 06:34:08 388096 ----a-r- c:\docume~1\paulru~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-04-26 01:02:36 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-04-26 01:02:36 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-04-26 01:02:35 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-04-26 01:02:35 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-04-26 01:02:35 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-04-26 01:02:34 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-04-26 01:02:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-04-26 01:02:33 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

.

==================== Find3M ====================

.

2011-05-15 02:41:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-16 20:28:20 16704 ----a-w- c:\windows\system32\roboot.exe

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 21:12:10.31 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 1/4/2006 5:30:28 PM

System Uptime: 5/14/2011 7:35:40 PM (2 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Intel® Pentium® M processor 2.00GHz | mFCPGA | 1994/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 93 GiB total, 59.813 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: 1394 Net Adapter

Device ID: V1394\NIC1394\785027D180DA0

Manufacturer: Microsoft

Name: 1394 Net Adapter #2

PNP Device ID: V1394\NIC1394\785027D180DA0

Service: NIC1394

.

==== System Restore Points ===================

.

RP1584: 2/14/2011 6:25:26 PM - System Checkpoint

RP1585: 2/15/2011 5:19:23 PM - Software Distribution Service 3.0

RP1586: 2/16/2011 7:28:21 PM - System Checkpoint

RP1587: 2/17/2011 7:53:05 PM - System Checkpoint

RP1588: 2/18/2011 4:29:12 PM - Software Distribution Service 3.0

RP1589: 2/19/2011 5:19:33 PM - System Checkpoint

RP1590: 2/20/2011 7:42:00 PM - System Checkpoint

RP1591: 2/22/2011 1:51:48 PM - Software Distribution Service 3.0

RP1592: 2/23/2011 4:04:18 PM - System Checkpoint

RP1593: 2/23/2011 6:43:05 PM - Software Distribution Service 3.0

RP1594: 2/24/2011 7:22:40 PM - System Checkpoint

RP1595: 2/25/2011 3:05:50 PM - Software Distribution Service 3.0

RP1596: 2/26/2011 3:36:38 PM - System Checkpoint

RP1597: 2/27/2011 4:59:34 PM - System Checkpoint

RP1598: 2/28/2011 5:53:19 PM - System Checkpoint

RP1599: 3/1/2011 5:22:51 PM - Software Distribution Service 3.0

RP1600: 3/2/2011 5:45:28 PM - System Checkpoint

RP1601: 3/3/2011 6:02:47 PM - System Checkpoint

RP1602: 3/4/2011 9:50:32 AM - Software Distribution Service 3.0

RP1603: 3/5/2011 10:46:15 AM - System Checkpoint

RP1604: 3/6/2011 12:26:00 PM - System Checkpoint

RP1605: 3/7/2011 4:10:50 PM - System Checkpoint

RP1606: 3/7/2011 8:55:09 PM - Unsigned driver install

RP1607: 3/8/2011 4:58:20 PM - Software Distribution Service 3.0

RP1608: 3/8/2011 5:01:27 PM - Software Distribution Service 3.0

RP1609: 3/9/2011 6:59:07 PM - System Checkpoint

RP1610: 3/10/2011 4:52:49 PM - Software Distribution Service 3.0

RP1611: 3/11/2011 4:22:56 PM - Software Distribution Service 3.0

RP1612: 3/12/2011 4:33:15 PM - System Checkpoint

RP1613: 3/13/2011 6:09:13 PM - System Checkpoint

RP1614: 3/14/2011 6:28:05 PM - System Checkpoint

RP1615: 3/15/2011 5:59:56 PM - Software Distribution Service 3.0

RP1616: 3/16/2011 8:13:28 PM - System Checkpoint

RP1617: 3/18/2011 12:28:13 PM - Software Distribution Service 3.0

RP1618: 3/19/2011 3:50:40 PM - System Checkpoint

RP1619: 3/19/2011 7:02:04 PM - Installed Adobe Reader X (10.0.1).

RP1620: 3/21/2011 7:04:46 AM - System Checkpoint

RP1621: 3/22/2011 4:33:24 PM - Software Distribution Service 3.0

RP1622: 3/23/2011 3:13:51 PM - Software Distribution Service 3.0

RP1623: 3/24/2011 4:04:32 PM - System Checkpoint

RP1624: 3/25/2011 10:22:06 AM - Software Distribution Service 3.0

RP1625: 3/26/2011 9:43:11 PM - System Checkpoint

RP1626: 3/28/2011 4:56:02 PM - System Checkpoint

RP1627: 3/29/2011 5:17:44 PM - Software Distribution Service 3.0

RP1628: 3/30/2011 5:43:25 PM - System Checkpoint

RP1629: 4/1/2011 4:16:57 PM - Software Distribution Service 3.0

RP1630: 4/2/2011 10:20:18 PM - System Checkpoint

RP1631: 4/4/2011 5:07:05 PM - System Checkpoint

RP1632: 4/5/2011 6:38:37 PM - Software Distribution Service 3.0

RP1633: 4/7/2011 4:28:52 PM - System Checkpoint

RP1634: 4/8/2011 5:42:55 PM - Software Distribution Service 3.0

RP1635: 4/9/2011 9:10:28 PM - System Checkpoint

RP1636: 4/10/2011 9:48:38 PM - System Checkpoint

RP1637: 4/12/2011 4:45:19 PM - System Checkpoint

RP1638: 4/12/2011 9:01:43 PM - Software Distribution Service 3.0

RP1639: 4/12/2011 9:42:44 PM - Software Distribution Service 3.0

RP1640: 4/14/2011 4:19:24 PM - System Checkpoint

RP1641: 4/14/2011 10:21:27 PM - Software Distribution Service 3.0

RP1642: 4/15/2011 8:56:02 PM - Software Distribution Service 3.0

RP1643: 4/16/2011 7:54:04 PM - Software Distribution Service 3.0

RP1644: 4/17/2011 8:39:49 PM - System Checkpoint

RP1645: 4/19/2011 10:21:03 AM - Software Distribution Service 3.0

RP1646: 4/20/2011 7:59:58 PM - System Checkpoint

RP1647: 4/21/2011 8:46:35 PM - System Checkpoint

RP1648: 4/22/2011 10:48:45 AM - Software Distribution Service 3.0

RP1649: 4/23/2011 12:32:49 PM - System Checkpoint

RP1650: 4/24/2011 12:58:14 PM - System Checkpoint

RP1651: 4/25/2011 2:58:31 PM - System Checkpoint

RP1652: 4/26/2011 6:00:06 PM - System Checkpoint

RP1653: 4/27/2011 6:15:58 PM - Software Distribution Service 3.0

RP1654: 4/27/2011 6:17:44 PM - Software Distribution Service 3.0

RP1655: 4/29/2011 9:01:04 AM - System Checkpoint

RP1656: 4/29/2011 11:18:16 AM - Software Distribution Service 3.0

RP1657: 4/30/2011 2:19:54 PM - System Checkpoint

RP1658: 5/1/2011 7:18:15 PM - System Checkpoint

RP1659: 5/3/2011 6:00:44 PM - System Checkpoint

RP1660: 5/3/2011 8:50:23 PM - Installed Windows Internet Explorer 8.

RP1661: 5/4/2011 8:53:29 PM - System Checkpoint

RP1662: 5/5/2011 8:59:42 PM - System Checkpoint

RP1663: 5/7/2011 6:39:49 AM - System Checkpoint

RP1664: 5/8/2011 9:17:04 AM - Removed KML Editor

RP1665: 5/8/2011 9:18:26 AM - Removed Imgur Uploader

RP1666: 5/8/2011 9:28:35 AM - Installed Microsoft Fix it 50267

RP1667: 5/8/2011 10:09:48 AM - Software Distribution Service 3.0

RP1668: 5/8/2011 10:16:55 AM - Software Distribution Service 3.0

RP1669: 5/9/2011 5:05:37 PM - System Checkpoint

RP1670: 5/10/2011 11:18:13 AM - Software Distribution Service 3.0

RP1671: 5/11/2011 2:45:17 PM - Avg8 Update

RP1672: 5/11/2011 2:50:16 PM - Software Distribution Service 3.0

RP1673: 5/13/2011 9:51:18 AM - Restore Operation

RP1674: 5/14/2011 11:30:08 AM - System Checkpoint

RP1675: 5/14/2011 11:57:07 AM - Removed AVG Free 8.5

RP1676: 5/14/2011 12:02:15 PM - Removed AVG Free 8.5

RP1677: 5/14/2011 12:04:47 PM - Removed AVG Free 8.5

RP1678: 5/14/2011 12:14:35 PM - Removed AVG Free 8.5

RP1679: 5/14/2011 12:16:13 PM - Removed AVG Free 8.5

RP1680: 5/14/2011 7:04:57 PM - Avira AntiVir Personal - 5/14/2011 19:04

RP1681: 5/14/2011 7:29:02 PM - Removed J2SE Runtime Environment 5.0 Update 2

RP1682: 5/14/2011 7:32:58 PM - Removed Java 6 Update 20

RP1683: 5/14/2011 7:40:41 PM - Installed Java 6 Update 25

RP1684: 5/14/2011 7:41:58 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Acrobat 5.0

Adobe AIR

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader X (10.0.1)

Advanced SystemCare 3

AirSnare

America Online (Choose which version to remove)

Apple Application Support

Apple Software Update

ArcExplorer Java Edition

AT&T Connection Services Manager

Avira AntiVir Personal - Free Antivirus

AVS Audio Editor version 4.2

AVS Update Manager 1.0

AVS4YOU Software Navigator 1.3

Bluetooth Stack for Windows by Toshiba

CAD2Shape 4.0

Camera Window

Canon Camera Window for ZoomBrowser EX

Canon PhotoRecord

Canon Utilities Easy-PhotoPrint

Canon Utilities PhotoStitch 3.1

Canon Utilities ZoomBrowser EX

CCleaner

CD/DVD Drive Acoustic Silencer

Defraggler

DVD-RAM Driver

dwgConvert 4.0

Easy-WebPrint

EasyCleaner

ESET Online Scanner v3

Ethereal 0.99.0

Eusing Free Registry Cleaner

filehippo.com Update Checker

Free PS Convert driver 8.15

Google Chrome

Google Earth

Google Update Helper

Grand Theft Auto Vice City

GTA San Andreas

HiJackThis

HijackThis 1.99.1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

Intel® PROSet/Wireless Software

InterVideo WinDVD Creator 2

InterVideo WinDVD for TOSHIBA

IrfanView (remove only)

Java Auto Updater

Java 6 Update 25

Leisure Suit Larry - Magna Cum Laude

Logitech Desktop Messenger

Logitech SetPoint

Malwarebytes' Anti-Malware

Mapping Your Travels and Relocation

MapWindow GIS

McAfee Personal Firewall Plus

McAfee SecurityCenter

mCore

mDrWiFi

mHelp

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Office OneNote 2003

Microsoft Office Standard Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable - KB2467175

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework

Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32

Microsoft Works

mIWA

mIWCA

mLogView

mMHouse

Mozilla Firefox (3.6.3)

mPfMgr

mPfWiz

mProSafe

MSN

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

mWlsSafe

mXML

MyConnect Special Offer

mZConfig

Notebook Maximizer

NSIS KSDownloader

OCAD 10 Viewer Viewer

Opera 9.51

PhotoStitch

Pure Networks Port Magic

Python 2.1

Python 2.1 combined Win32 extensions

Quantum GIS Copiapo 1.6.0

Quicken 2005

QuickTime

SD Secure Module

Security Task Manager 1.7d

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2183461)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360131)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2416400)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2482017)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2497640)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2510581)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969897)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB976325)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SMSC IrCC V5.1.3600.5 SP2

Sonic DLA

Sonic RecordNow!

Sony Picture Utility

Sony USB Driver

SoundMAX

Super Utilities Pro 9.41

Synaptics Pointing Device Driver

System Requirements Lab

Texas Instruments PCIxx21/x515 drivers.

TextPad 5

Tiles2kml Pro

TIxx21/x515

TOSHIBA Assist

TOSHIBA ConfigFree

TOSHIBA Controls

TOSHIBA Hotkey Utility

TOSHIBA PC Diagnostic Tool

TOSHIBA Power Saver

Toshiba Q4 Retail Demo ScreenSaver

Toshiba Registration

TOSHIBA SD Memory Card Format

TOSHIBA Software Modem

TOSHIBA Software Upgrades

TOSHIBA Speech System Applications

TOSHIBA Speech System SR Engine(U.S.) Version1.0

TOSHIBA Speech System TTS Engine(U.S.) Version1.0

Toshiba Tbiosdrv Driver

TOSHIBA TouchPad ON/Off Utility

TOSHIBA Utilities

TOSHIBA Virtual Sound

TOSHIBA Zooming Utility

Touch and Launch

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

Veo Connect

Veo Digital Studio

Viewpoint Media Player

WebFldrs XP

Windows Defender

Windows Defender Signatures

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 10

Windows XP Service Pack 3

WinRAR archiver

Wisdom-soft Set up ASR 3.1 Free

World Health Chart 2001, Public Beta 0.1

XML Paper Specification Shared Components Pack 1.0

.

==== Event Viewer Messages From Past Week ========

.

5/8/2011 9:18:38 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

5/8/2011 8:59:59 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402

5/8/2011 8:59:59 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402

5/8/2011 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402

5/8/2011 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402

5/8/2011 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402

5/8/2011 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402

5/8/2011 12:58:59 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

5/8/2011 12:18:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402

5/8/2011 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402

5/8/2011 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402

5/8/2011 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402

5/8/2011 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402

5/8/2011 1:45:01 AM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

5/8/2011 1:34:57 AM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

5/8/2011 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402

5/8/2011 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402

5/7/2011 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402

5/7/2011 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402

5/7/2011 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402

5/7/2011 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402

5/14/2011 5:43:32 PM, error: PlugPlayManager [11] - The device Root\LEGACY_BFASTFAO\0000 disappeared from the system without first being prepared for removal.

5/14/2011 5:39:21 PM, error: Service Control Manager [7034] - The TOSHIBA Application Service service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:21 PM, error: Service Control Manager [7034] - The Spectrum24 Event Monitor service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:21 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 5:39:20 PM, error: Service Control Manager [7034] - The EvtEng service terminated unexpectedly. It has done this 1 time(s).

5/14/2011 3:37:09 PM, error: PlugPlayManager [11] - The device Root\LEGACY_NPF\0000 disappeared from the system without first being prepared for removal.

5/14/2011 3:37:09 PM, error: PlugPlayManager [11] - The device Root\LEGACY_AFPANSI\0000 disappeared from the system without first being prepared for removal.

5/14/2011 3:23:30 PM, error: Service Control Manager [7034] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 2 time(s).

5/14/2011 3:23:30 PM, error: Service Control Manager [7031] - The AVG Free8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

5/13/2011 9:54:40 AM, error: WinDefend [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.103.1139.0 Loading engine version: 1.1.6802.0

5/13/2011 7:30:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm SuperMounter Tosrfcom

5/12/2011 9:59:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

5/12/2011 9:43:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

5/12/2011 10:24:59 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

5/12/2011 10:24:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde KR10N

5/11/2011 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402

5/11/2011 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402

5/11/2011 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402

5/11/2011 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402

5/11/2011 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402

5/11/2011 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402

5/11/2011 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402

5/11/2011 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402

5/11/2011 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402

5/11/2011 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402

5/11/2011 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402

5/11/2011 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402

5/11/2011 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402

5/11/2011 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402

5/10/2011 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402

5/10/2011 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402

5/10/2011 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402

5/10/2011 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402

5/10/2011 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402

5/10/2011 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402

5/10/2011 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402

5/10/2011 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402

5/10/2011 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402

5/10/2011 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402

.

==== End Of File ===========================

Link to post
Share on other sites

good to hear java is okay.

pc was doing pretty well up until i noticed a double instance of "dllhost.exe" in task manager last night.

i tried deleting it several different ways but it always came back.

i ran a full scan using avira (attached).

logged on this morning and have not seen the dllhost.exe in task manager but firefox browser is not opening correctly (i'm using chrome right now).

when firefox finally opens (after a few minutes) i get about 15 "plugin-container.exe" and 4 "ArcoRd32.exe" in task mgr

any ideas?

AVSCAN-2011 0514.txt

Link to post
Share on other sites

dllhost.exe is fine in your case. Dial-A-Fix and the clean up replaced some of the windows files that was missing. We'll deal with firefox and Acorbat Reader in the next post.

The one file is in System restore. We'll Flush your System Restore points.

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

You might want to use ATF for firefox:

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

By the way, You might want to remove the Registry cleaners you have installed... :) They are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

Link to post
Share on other sites

You might want to use ATF for firefox:

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only


  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

By the way, You might want to remove the Registry cleaners you have installed... :) They are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners

http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

ran ATF, looks like it does about the same thing as CCleaner yes?

i run CCleaner at least once a week.

good to know about registry cleaners...

just ran the uninstall combofix (looked very similar to the install process) and have attached the log.

i'm going to install the NoScript and WOT (Web Of Trust) since firefox is and has been my default brower for over 5 years.

assuming everything here is done/fixed i just have one more question: how likely is identity / banking info theft from this severe intrusion by TDL3 ?

combofix UNinstall log 051511.txt

Link to post
Share on other sites

I would change any financial site passwords. To be on the safe side. ATF cleaner and CCleaner are similar.

As for Combofix. Please do the below:

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Link to post
Share on other sites

I would change any financial site passwords. To be on the safe side. ATF cleaner and CCleaner are similar.

As for Combofix. Please do the below:

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Okay Kenny94, everything is looking good here i think... ran the OTC.exe and that seems to have removed combofix successfully.

I went ahead and placed most of the other logs/tools in their own folder for reference sake.

Been using several of your suggested tools and have a few questions:

Is Defraggler (i've used it for years) an adequate defrag or are the 2 you mentioned better?

The secunia scan found about 8 things needing updates, the most striking was IE 8 with about 100 hyperlinks... i rarely use IE so is this of any concern?

windowsupdate.com looks like it only works with IE, is there a way to get ms update status in firefox?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.