# Virus and lost Wifi connection



## NightOwl323 (Mar 20, 2012)

I had a recent virus infestation on my laptop. One was a fake repeated request to install Adobe Flash which kept popping up every minute or so and the other was causing redirects on my browser (Firefox). 
I ran Malwarebyte's Antimalware and eliminated two trojans, but the problem persisted. I ran it again in safe mode and found one more. Again, the problem was not resolved. I installed Microsoft Security Essentials, which found multiple threats, cleaned them, and then continued to pop up with the same threats repeatedly. Afterwards, I ran a series of cleans including Eset online scanner (which stalled) and TDSSKiller, which found approximately 40 rootkit issues (when I expanded the parameters), all with medium threat, and all of which I cleaned. After running these programs, I have lost access the internet. The wifi connection stalls on "acquiring network address." I've rebooted the wifi router, and the computer, as well as disabled the connection. Nothing has reset it. It looks like the virus may be gone, but I really have no way of knowing until I can access the internet and try browsing. So, I'm not sure if this is still a virus issue, or a wifi connection issue which I caused with all of my "cleaning."

Thank you in advance for all of your assistance.

Hijack Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:52:59 PM, on 3/19/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\LILLY\Desktop\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.efax.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://portal.omm.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181342368703
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: NecUsb3Sevices - USB3Sw32.dll (file missing)
O20 - Winlogon Notify: USB3Sw32 - USB3Sw32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10729 bytes

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23
Run by LILLY at 18:54:05 on 2012-03-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1108 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz0.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MFNetworkScanUtility] c:\program files\canon\canon mf network scan utility\CNMFSUT.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: efax.com\www
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://portal.omm.com/Citrix/ICAWEB/en/ica32/wficat.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181342368703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3} : DhcpNameServer = 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NecUsb3Sevices - USB3Sw32.dll
Notify: USB3Sw32 - USB3Sw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lilly\application data\mozilla\firefox\profiles\68mnu47b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Findbasic
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefoxExtn.dll
FF - plugin: c:\documents and settings\lilly\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\lilly\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 dfxdjgso;dfxdjgso;\??\c:\windows\system32\drivers\dfxdjgso.sys --> c:\windows\system32\drivers\dfxdjgso.sys [?]
S1 icblpmis;icblpmis;\??\c:\windows\system32\drivers\icblpmis.sys --> c:\windows\system32\drivers\icblpmis.sys [?]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2010-6-4 14336]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
.
=============== Created Last 30 ================
.
2012-03-20 01:52:04 388096 ----a-r- c:\documents and settings\lilly\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-18 10:34:14 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-18 10:03:19 -------- d-----w- c:\documents and settings\lilly\local settings\application data\PCHealth
2012-03-18 09:51:46 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-18 09:09:04 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 08:46:51 -------- d-----w- c:\documents and settings\lilly\application data\PriceGong
2012-03-18 06:55:30 -------- d-----w- c:\documents and settings\lilly\application data\Process Hacker 2
2012-03-18 06:54:15 -------- d-----w- c:\program files\Process Hacker 2
2012-03-17 07:46:22 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
2012-03-17 07:36:01 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
.
============= FINISH: 18:55:32.18 ===============

DDS log (Attach.txt) uploaded as requested.

GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-20 11:30:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2160BT_PL rev.00000050
Running: ue5yq2hi.exe; Driver: C:\DOCUME~1\LILLY\LOCALS~1\Temp\pwtdapob.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB961EEBF]
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !
? C:\DOCUME~1\LILLY\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [015E3880] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [015E3930] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [015E3A60] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [015E39D0] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB2866$\353902122 0 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\cfg.ini 170 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\L 0 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\L\pavtnywh 162816 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\oemid 259 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U 0 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 2048 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 224768 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 1024 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 66560 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 12800 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected] 96256 bytes
File C:\WINDOWS\$NtUninstallKB2866$\353902122\version 864 bytes
File C:\WINDOWS\$NtUninstallKB2866$\851918141 0 bytes

---- EOF - GMER 1.0.15 ----


----------



## NightOwl323 (Mar 20, 2012)

Please Bump


----------



## Cookiegal (Aug 27, 2003)

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

* Note: If you have SP3, use the SP2 package.*

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

*Disable your anti-Virus and anti-spyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## NightOwl323 (Mar 20, 2012)

Dear CookieGal, I can't thank you enough for taking your time to assist me. Please note that Combofix detected "active" Microsoft Security Essentials. There was no option to "disable" the program that I could find within the program itself, and right-clicking on the toolbar only offered "open" as an option. Therefore, I uninstalled the program using my control panel. I tell you this only because I think that changes some of the information in the original log I sent you. Below is the ComboFix log. If you need me to re-run HijackThis or any of the other previous logs, I'm happy to do so. Thanks again!! Note: received this message during ComboFix scan -- "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you're unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time." The program then indicated again that a rootkit was detected and requested a reboot, which I did. When the computer restarted, ComboFix reinitialized, but Windows never appears. It was just the ComboFix window with a blank background. (TMI??) ComboFix Log: ComboFix 12-03-25.01 - LILLY 03/25/2012 15:58:31.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1149 [GMT -7:00] Running from: c:\documents and settings\LILLY\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\LILLY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e} c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf c:\documents and settings\Administrator\WINDOWS c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\Default User\WINDOWS c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e} c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf c:\documents and settings\LILLY\Application Data\PriceGong c:\documents and settings\LILLY\Application Data\PriceGong\Data\1.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\10020.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\2229.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\a.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\b.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\c.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\d.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\e.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\f.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\g.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\h.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\i.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\j.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\k.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\l.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\m.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\mru.xml c:\documents and settings\LILLY\Application Data\PriceGong\Data\n.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\o.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\p.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\q.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\r.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\s.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\t.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\u.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\v.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\w.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\wlu.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\x.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\y.txt c:\documents and settings\LILLY\Application Data\PriceGong\Data\z.txt c:\documents and settings\LILLY\iqvowwjfac.tmp c:\documents and settings\LILLY\WINDOWS c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e} c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\defaults\preferences\xulcache.js c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf c:\windows\$NtUninstallKB2866$ c:\windows\$NtUninstallKB2866$\353902122\@ c:\windows\$NtUninstallKB2866$\353902122\cfg.ini c:\windows\$NtUninstallKB2866$\353902122\Desktop.ini c:\windows\$NtUninstallKB2866$\353902122\L\pavtnywh c:\windows\$NtUninstallKB2866$\353902122\oemid c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\U\[email protected] c:\windows\$NtUninstallKB2866$\353902122\version c:\windows\$NtUninstallKB2866$\851918141 c:\windows\kb913800.exe c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\dds_trash_log.cmd . c:\windows\system32\drivers\netbt.sys was missing Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys . . ((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 ))))))))))))))))))))))))))))))) . . 2012-03-25 23:16 . 2008-04-14 08:51	162816	-c--a-w-	c:\windows\system32\dllcache\netbt.sys 2012-03-25 23:16 . 2008-04-14 08:51	162816	----a-w-	c:\windows\system32\drivers\netbt.sys 2012-03-20 01:52 . 2012-03-20 01:52	388096	----a-r-	c:\documents and settings\LILLY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-03-18 10:34 . 2012-03-18 10:34	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth 2012-03-18 10:03 . 2012-03-18 10:03	--------	d-----w-	c:\documents and settings\LILLY\Local Settings\Application Data\PCHealth 2012-03-18 10:02 . 2012-03-18 10:02	--------	d-----w-	c:\program files\Windows Defender 2012-03-18 09:51 . 2012-03-18 09:51	--------	d--h--w-	c:\windows\system32\GroupPolicy 2012-03-18 09:09 . 2012-03-18 09:09	--------	d-----w-	C:\TDSSKiller_Quarantine 2012-03-18 06:55 . 2012-03-18 06:55	--------	d-----w-	c:\documents and settings\LILLY\Application Data\Process Hacker 2 2012-03-18 06:54 . 2012-03-18 06:54	--------	d-----w-	c:\program files\Process Hacker 2 2012-03-17 07:46 . 2012-03-17 07:46	38400	----a-w-	c:\windows\system32\USB3Sw32.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-01 21:02 . 2009-05-01 21:02	1044480	----a-w-	c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02	200704	----a-w-	c:\program files\mozilla firefox\plugins\ssldivx.dll 2012-03-12 06:17 . 2011-06-05 07:13	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}] 2011-05-09 09:49	176936	----a-w-	c:\program files\Vuze_Remote\prxtbVuz0.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TDispVol"="TDispVol.exe" [2005-03-11 73728] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 82012] "Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728] "TPSMain"="TPSMain.exe" [2005-06-01 282624] "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888] "MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2009-12-15 484760] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices] 2012-03-17 07:46	38400	----a-w-	c:\windows\system32\USB3Sw32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32] 2012-03-17 07:46	38400	----a-w-	c:\windows\system32\USB3Sw32.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Lawgic\\0001\\Rnr32Eng.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Vuze\\Azureus.exe"= . R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] S1 dfxdjgso;dfxdjgso;\??\c:\windows\system32\drivers\dfxdjgso.sys --> c:\windows\system32\drivers\dfxdjgso.sys [?] S1 icblpmis;icblpmis;\??\c:\windows\system32\drivers\icblpmis.sys --> c:\windows\system32\drivers\icblpmis.sys [?] S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [6/4/2010 3:35 PM 14336] S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?] S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] NecUsb3Sevic	REG_MULTI_SZ NecUsb3 . Contents of the 'Scheduled Tasks' folder . 2012-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005Core.job - c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40] . 2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005UA.job - c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40] . 2012-03-25 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20] . 2012-03-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-06-09 23:31] . 2012-03-12 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-24 23:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/ mSearch Bar = about:blank uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: efax.com\www TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms} FF - prefs.js: browser.search.selectedEngine - Findbasic FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q= FF - user.js: yahoo.homepage.dontask - true . - - - - ORPHANS REMOVED - - - - . SafeBoot-89181721.sys AddRemove-{1B758D8A-B999-45AD-B7AA-14D10FDC19D2}_is1 - z:\e-z contact book\unins000.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-03-25 16:28 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(496) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\USB3Sw32.dll . - - - - - - - > 'explorer.exe'(5528) c:\windows\system32\logishrd\LVPrcInj01.dll c:\windows\system32\TDispVol.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\DVDRAMSV.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\toshiba\IVP\swupdate\swupdtmr.exe c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe c:\windows\ehome\mcrdsvc.exe c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\windows\system32\TDispVol.exe c:\program files\Synaptics\SynTP\Toshiba.exe c:\windows\eHome\ehmsas.exe . ************************************************************************** . Completion time: 2012-03-25 16:46:03 - machine was rebooted ComboFix-quarantined-files.txt 2012-03-25 23:46 . Pre-Run: 61,022,474,240 bytes free Post-Run: 63,755,067,392 bytes free . - - End Of File - - 7F3266FAC8929B4AB43722EB87640352


----------



## Cookiegal (Aug 27, 2003)

Unfortunately, I can't use the log presented that way. Please be sure word wrap is off in Notepad. If it's still the same try attaching the log instead.


----------



## NightOwl323 (Mar 20, 2012)

Is this better?

ComboFix 12-03-25.01 - LILLY 03/25/2012 15:58:31.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1149 [GMT -7:00]
Running from: c:\documents and settings\LILLY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LILLY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}
c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar
c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf
c:\documents and settings\LILLY\Application Data\PriceGong
c:\documents and settings\LILLY\Application Data\PriceGong\Data\1.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\10020.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\a.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\b.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\c.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\d.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\e.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\f.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\g.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\h.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\i.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\j.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\k.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\l.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\m.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\LILLY\Application Data\PriceGong\Data\n.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\o.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\p.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\q.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\r.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\s.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\t.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\u.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\v.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\w.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\x.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\y.txt
c:\documents and settings\LILLY\Application Data\PriceGong\Data\z.txt
c:\documents and settings\LILLY\iqvowwjfac.tmp
c:\documents and settings\LILLY\WINDOWS
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\defaults\preferences\xulcache.js
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf
c:\windows\$NtUninstallKB2866$
c:\windows\$NtUninstallKB2866$\353902122\@
c:\windows\$NtUninstallKB2866$\353902122\cfg.ini
c:\windows\$NtUninstallKB2866$\353902122\Desktop.ini
c:\windows\$NtUninstallKB2866$\353902122\L\pavtnywh
c:\windows\$NtUninstallKB2866$\353902122\oemid
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\U\[email protected]
c:\windows\$NtUninstallKB2866$\353902122\version
c:\windows\$NtUninstallKB2866$\851918141
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
.
c:\windows\system32\drivers\netbt.sys was missing 
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-02-25 to 2012-03-25 )))))))))))))))))))))))))))))))
.
.
2012-03-25 23:16 . 2008-04-14 08:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-25 23:16 . 2008-04-14 08:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-20 01:52 . 2012-03-20 01:52 388096 ----a-r- c:\documents and settings\LILLY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-18 10:34 . 2012-03-18 10:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-18 10:03 . 2012-03-18 10:03 -------- d-----w- c:\documents and settings\LILLY\Local Settings\Application Data\PCHealth
2012-03-18 10:02 . 2012-03-18 10:02 -------- d-----w- c:\program files\Windows Defender
2012-03-18 09:51 . 2012-03-18 09:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-18 09:09 . 2012-03-18 09:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 06:55 . 2012-03-18 06:55 -------- d-----w- c:\documents and settings\LILLY\Application Data\Process Hacker 2
2012-03-18 06:54 . 2012-03-18 06:54 -------- d-----w- c:\program files\Process Hacker 2
2012-03-17 07:46 . 2012-03-17 07:46 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-03-12 06:17 . 2011-06-05 07:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 82012]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2009-12-15 484760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
2012-03-17 07:46 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
2012-03-17 07:46 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Lawgic\\0001\\Rnr32Eng.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 dfxdjgso;dfxdjgso;\??\c:\windows\system32\drivers\dfxdjgso.sys --> c:\windows\system32\drivers\dfxdjgso.sys [?]
S1 icblpmis;icblpmis;\??\c:\windows\system32\drivers\icblpmis.sys --> c:\windows\system32\drivers\icblpmis.sys [?]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [6/4/2010 3:35 PM 14336]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005Core.job
- c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005UA.job
- c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40]
.
2012-03-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
2012-03-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-06-09 23:31]
.
2012-03-12 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-24 23:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: efax.com\www
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Findbasic
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-89181721.sys
AddRemove-{1B758D8A-B999-45AD-B7AA-14D10FDC19D2}_is1 - z:\e-z contact book\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-25 16:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(496)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\USB3Sw32.dll
.
- - - - - - - > 'explorer.exe'(5528)
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TDispVol.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2012-03-25 16:46:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-25 23:46
.
Pre-Run: 61,022,474,240 bytes free
Post-Run: 63,755,067,392 bytes free
.
- - End Of File - - 7F3266FAC8929B4AB43722EB87640352


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
c:\windows\system32\USB3Sw32.dll

Driver::
dfxdjgso
icblpmis
NecUsb3

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NecUsb3Sevices]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\USB3Sw32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"NecUsb3Sevic"=-
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*


----------



## NightOwl323 (Mar 20, 2012)

Thank you again.

ComboFix 12-03-25.01 - LILLY 03/26/2012 12:41:02.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1042 [GMT -7:00]
Running from: c:\documents and settings\LILLY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\LILLY\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\USB3Sw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\dasetup.log
c:\windows\system32\USB3Sw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NECUSB3
-------\Service_dfxdjgso
-------\Service_icblpmis
-------\Service_NecUsb3
.
.
((((((((((((((((((((((((( Files Created from 2012-02-26 to 2012-03-26 )))))))))))))))))))))))))))))))
.
.
2012-03-25 23:16 . 2008-04-14 08:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-25 23:16 . 2008-04-14 08:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-20 01:52 . 2012-03-20 01:52 388096 ----a-r- c:\documents and settings\LILLY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-18 10:34 . 2012-03-18 10:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-18 10:03 . 2012-03-18 10:03 -------- d-----w- c:\documents and settings\LILLY\Local Settings\Application Data\PCHealth
2012-03-18 10:02 . 2012-03-18 10:02 -------- d-----w- c:\program files\Windows Defender
2012-03-18 09:51 . 2012-03-18 09:51 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-18 09:09 . 2012-03-18 09:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 06:55 . 2012-03-18 06:55 -------- d-----w- c:\documents and settings\LILLY\Application Data\Process Hacker 2
2012-03-18 06:54 . 2012-03-18 06:54 -------- d-----w- c:\program files\Process Hacker 2
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-03-12 06:17 . 2011-06-05 07:13 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-02 82012]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE" [2009-12-15 484760]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Lawgic\\0001\\Rnr32Eng.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\LILLY\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005Core.job
- c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40]
.
2012-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3956782973-2139545190-3139515377-1005UA.job
- c:\documents and settings\LILLY\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 06:40]
.
2012-03-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
2012-03-26 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-06-09 23:31]
.
2012-03-12 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-11-24 23:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: efax.com\www
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Findbasic
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-26 13:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(5640)
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TDispVol.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2012-03-26 13:13:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-26 20:13
.
Pre-Run: 63,600,812,032 bytes free
Post-Run: 63,503,818,752 bytes free
.
- - End Of File - - 3AE44C523E92D6A8C641B229ACE19A02


----------



## Cookiegal (Aug 27, 2003)

Are you able to connect to the Internet now?


----------



## NightOwl323 (Mar 20, 2012)

Yes, I was able to connect after the first ComboFix run. I assumed you'd want to run through some other fixes or clean-ups. Should I have told you? I'm sorry for the oversight.
I'm thrilled!!
Thank you so much.
Are there further steps? When we're done I have one last question which isn't a virus removal issue, but pertains to Microsoft Security Essentials, so I assume this is the place to ask.


----------



## Cookiegal (Aug 27, 2003)

I'm not sure I'll be able to answer your question about MSE but you can fire away. 

Yes, I wasn't sure if you were able to connect but expected it should have been. There will be more to do to make sure all is OK.

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click *Scan*.

Upon completion of the scan, click *Save log* then save it to your desktop and post that log in your next reply for review. 
*Note - do NOT attempt any Fix yet. *


----------



## NightOwl323 (Mar 20, 2012)

Downloading the scanner now. Thank you.
As for MSE...
My laptop, when on standby, turns on by itself ever single day at 2am (middle of the night). It's been this way for ages. I can't stop it except to actually turn off my computer, in which case, it stays off. After downloading MSE this last time, I noticed that when I had originally downloaded the program ages ago, I had it originally set to scan every night at that time. But then I uninstalled the program. Looks like the scan setting continues despite no MSE! It so confusing. That's the ONLY setting for 2am I have ever had on my computer. So it turns on, but since there's no program, it doesn't do anything and just stays on. Seems like the program installed a sub-program somewhere that didn't uninstall with the program. Any thoughts on how to find it and get rid of it?

Scan Log to follow shortly.


----------



## Cookiegal (Aug 27, 2003)

I can see from your logs that there are scans or updates in the scheduled tasks for Windows Defender and Spybot Search & Destroy. It's likely the Windows Defender one. You can uninstall Windows Defender through the Control Panel - Add or Remove programs. You can also remove the scheduled task by click on Scheduled Tasks in the Control Panel and deleting it from there.


----------



## NightOwl323 (Mar 20, 2012)

Here you go.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 15:44:37
-----------------------------
15:44:37.343 OS Version: Windows 5.1.2600 Service Pack 3
15:44:37.359 Number of processors: 2 586 0xF06
15:44:37.375 ComputerName: LEVOFFLAPTOP UserName: LILLY
15:44:55.500 Initialize success
15:45:16.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:45:16.578 Disk 0 Vendor: FUJITSU_MHV2160BT_PL 00000050 Size: 152627MB BusType: 3
15:45:16.656 Disk 0 MBR read successfully
15:45:16.656 Disk 0 MBR scan
15:45:16.656 Disk 0 Windows XP default MBR code
15:45:16.656 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152374 MB offset 63
15:45:16.687 Disk 0 Partition 2 00 88 Linux plaintext A Kárò'ó 251 MB offset 312062625
15:45:16.796 Disk 0 scanning sectors +312576705
15:45:16.968 Disk 0 scanning C:\WINDOWS\system32\drivers
15:45:52.312 Service scanning
15:47:12.828 Modules scanning
15:48:55.484 Disk 0 trace - called modules:
15:48:55.515 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
15:48:55.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a3f1ab8]
15:48:55.531 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000087[0x8a3a4258]
15:48:55.531 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a3a3d98]
15:48:55.531 Scan finished successfully
15:53:39.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LILLY\Desktop\MBR.dat"
15:53:39.359 The log file has been saved successfully to "C:\Documents and Settings\LILLY\Desktop\aswMBR.txt"


----------



## NightOwl323 (Mar 20, 2012)

PS: Didn't fix anything, as you requested, but left the window open in case you want me to.


----------



## Cookiegal (Aug 27, 2003)

No, that looks good. You can close it out without any action.

Please run the following on-line scanner. Note that you must use Internet Explorer to perform the scan.

Note: If you're running a 64-bit system you have to choose the 32-bit option in IE. To do that, go to the Start Menu and right-click the Internet Explorer (32-bit) icon and then select 'Run as administrator' from the right-click menu.

http://www.eset.com/online-scanner

Accept the Terms of Use and then press the Start button

Allow the ActiveX control to be installed.

Put a check by Remove found threats and then run the scan.

When the scan is finished, you will see the results in a window.

A log.txt file is created here: C:\Program Files\EsetOnlineScanner\log.txt.

Open the log file with Notepad and copy and paste the contents here please.


----------



## NightOwl323 (Mar 20, 2012)

Windows defender is only on Schedule for Sundays at 2am. Not daily. And that one too, until a few days ago, has been uninstalled. I only installed it a few days ago when this last virus attack hit. I'll uninstall it again, along with SpyBot, since I don't use it anymore. If that doesn't work, which Forum can I post to to have someone help me figure it out?


----------



## NightOwl323 (Mar 20, 2012)

I already have Eset Online scanner installed, but it doesn't require any browser at all. Is it ok to run that one?


----------



## Cookiegal (Aug 27, 2003)

NightOwl323 said:


> Windows defender is only on Schedule for Sundays at 2am. Not daily. And that one too, until a few days ago, has been uninstalled. I only installed it a few days ago when this last virus attack hit. I'll uninstall it again, along with SpyBot, since I don't use it anymore. If that doesn't work, which Forum can I post to to have someone help me figure it out?


Let's see if it fixes the problem first. It seems like too much of a coincidence.


----------



## Cookiegal (Aug 27, 2003)

NightOwl323 said:


> I already have Eset Online scanner installed, but it doesn't require any browser at all. Is it ok to run that one?


You have to use your browser to run the scan from the web site. The database will have to be updated.


----------



## NightOwl323 (Mar 20, 2012)

Wow! After all those other scans, it STILL found 7 threats. That's amazing. 

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-20 12:26:15
# local_time=2010-12-19 04:26:15 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=105595
# found=11
# cleaned=0
# scan_time=4759
C:\Documents and Settings\LILLY\Application Data\00CC0DD11507A96CF638C9496EBF7285\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\LILLY\Desktop\Flash Drive\fhds.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\LILLY\Desktop\Flash Drive\trent darby (unplugged version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\LILLY\Desktop\Flash Drive\trent darby.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Local Settings\Application Data\{84529B17-C173-45EE-BA05-412ADCB4D9CD}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\sK3179c.dll.vir a variant of Win32/Kryptik.FGR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP130\A0011265.dll a variant of Win32/Kryptik.FGR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP83\A0006217.exe probably a variant of Win32/Adware.FakeMSE.D application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\12192010_074907\C_WINDOWS\system32\bdgtguxvn.dll probably a variant of Win32/TrojanDownloader.Agent.INZFWXH trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\12192010_074907\C_WINDOWS\system32\caclnsvr.dll a variant of Win32/PSW.Papras.BO trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\12192010_074907\C_WINDOWS\system32\igfxexec.dll a variant of Win32/Kryptik.HTA trojan (unable to clean) 00000000000000000000000000000000 I
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-26 05:01:44
# local_time=2010-12-25 09:01:44 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 456905 456905 0 0
# scanned=9863
# found=0
# cleaned=0
# scan_time=608
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-08 02:31:06
# local_time=2011-01-08 06:31:06 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 1610679 1610679 0 0
# scanned=111474
# found=1
# cleaned=1
# scan_time=4196
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP224\A0016430.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-01 04:00:41
# local_time=2011-03-01 08:00:41 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 6113023 6113023 0 0
# scanned=1015
# found=0
# cleaned=0
# scan_time=27
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-12 07:38:41
# local_time=2011-03-11 11:38:41 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 7027456 7027456 0 0
# scanned=117723
# found=0
# cleaned=0
# scan_time=5874
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-21 01:28:54
# local_time=2011-03-21 06:28:54 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 7831259 7831259 0 0
# scanned=10813
# found=0
# cleaned=0
# scan_time=681
[email protected] as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-21 07:36:47
# local_time=2011-03-21 12:36:47 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 7833130 7833130 0 0
# scanned=119300
# found=0
# cleaned=0
# scan_time=20886
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-31 06:06:43
# local_time=2011-05-30 11:06:43 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 13934504 13934504 0 0
# scanned=123871
# found=1
# cleaned=1
# scan_time=5308
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP282\A0017894.dll probably a variant of Win32/Adware.HotBar.E application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-21 10:29:26
# local_time=2011-08-21 03:29:26 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 21034208 21034208 0 0
# scanned=148689
# found=11
# cleaned=11
# scan_time=6166
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LILLY\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-167e80df Java/TrojanDownloader.Agent.ME trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LILLY\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\amflkipadpfdkojehcffddgchphojilk\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP307\A0018602.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP307\A0018603.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP307\A0018604.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP316\A0019103.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP316\A0019104.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP316\A0019105.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-22 07:11:43
# local_time=2011-08-22 12:11:43 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 21109419 21109419 0 0
# scanned=148701
# found=0
# cleaned=0
# scan_time=5493
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-11-13 05:58:02
# local_time=2011-11-12 09:58:02 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 28275524 28275524 0 0
# scanned=132178
# found=1
# cleaned=1
# scan_time=6167
C:\Documents and Settings\LILLY\My Documents\Downloads\SoftonicDownloader_for_directx.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
[email protected] as downloader log:
all ok
[email protected] as downloader log:
Can not open [email protected] as downloader log:
Can not open internetCan not open internet# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=39d5d83b656e0a44baf6b57441563cca
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-27 02:00:30
# local_time=2012-03-26 07:00:30 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768381 100 100 0 172617349 0 0
# compatibility_mode=8192 67108863 100 0 39921612 39921612 0 0
# scanned=127143
# found=7
# cleaned=7
# scan_time=9828
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP381\A0021933.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP381\A0021945.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP381\A0021962.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP381\A0021977.dll probably a variant of Win32/Sirefef.ER trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP381\A0021982.sys a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP385\A0023188.exe a variant of Win32/Soft32Downloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\18.03.2012_02.01.43\susp0020\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


----------



## NightOwl323 (Mar 20, 2012)

Hi CookieGal,
I know I should probably wait until you respond to the Eset log, but my computer is now doing really odd stuff, and I thought I'd update you. First, I did uninstall Spybot, Windows Defender, and something called SuperAntispyware. I also tried to install the Windows updates that I'm prompted to install, but everything stalled, so I cancelled the update.
On reboot, my mouse wasn't working.
On another reboot, the mouse worked, but other programs wouldn't open.
Twice, the computer wouldn't reboot, and after long wait, I got several messages that certain programs weren't responding.
Also, when I tried to run Netflix, it told me my Silverlight needed to be uninstalled and reinstalled. When I went to uninstall it, the control panel told me there was another installation running (about which I knew nothing and did not initialize). After a reboot, I ultimately uninstalled and reinstalled the program. 
Now, I have no volume at all. I tried it with the laptop speakers and with USB speakers. Nothing. I closed out netflix and tried running an audio file on Windows media player and it told me I have no sound device installed.
Everything seems to be running choppy. 
Maybe I deleted something that needs to be there?

Sorry to go off course with this, but I'm not sure what the best thing is to do.


----------



## Cookiegal (Aug 27, 2003)

The Eset log is not surprising because you posted old ones from 2010 and 2011. The only relevant one is the last one with things only in System Restore, which are no longer a threat unless you do a system restore to an earlier date. We will flush those restore points when we're done which will eliminate those.

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
Under the *Additional Scans *section put a check in the box next to Disabled MS Config Items, Drivers32, NetSvcs, SafeBoot Minimal and EventViewer logs (Last 10 errors)
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## NightOwl323 (Mar 20, 2012)

Here's the OTS log attached


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\"XMLHTTP_UUID_Default" -> 0C 34 04 13 29 31 04 4D AF 3B 67 8C B2 FE 35 46  [binary data]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab [Java Plug-in 1.5.0_22]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\explorer.exe" -> C:\WINDOWS\explorer.exe [C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell]
[Files/Folders - Created Within 30 Days]
NY ->  2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\Documents and Settings\LILLY\Desktop\*.tmp files -> C:\Documents and Settings\LILLY\Desktop\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  itldvupd.dat -> C:\WINDOWS\System32\itldvupd.dat
NY ->  itlsvc.dat -> C:\WINDOWS\System32\itlsvc.dat
NY ->  2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\Documents and Settings\LILLY\Desktop\*.tmp files -> C:\Documents and Settings\LILLY\Desktop\*.tmp
[Files - No Company Name]
NY ->  Sjofate.dat -> C:\WINDOWS\Sjofate.dat
NY ->  Jpolageya.bin -> C:\WINDOWS\Jpolageya.bin
[Empty Temp Folders]
[EmptyFlash]
[EmptyJava]
[Start Explorer]
[Reboot]
```


----------



## NightOwl323 (Mar 20, 2012)

OTS Fix Log:
All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\explorer.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\003248_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\System32\ConduitEngine.tmp deleted successfully.
C:\Documents and Settings\LILLY\Desktop\~WRL0281.tmp deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\itldvupd.dat moved successfully.
C:\WINDOWS\System32\itlsvc.dat moved successfully.
[Files - No Company Name]
C:\WINDOWS\Sjofate.dat moved successfully.
C:\WINDOWS\Jpolageya.bin moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LILLY
->Temp folder emptied: 1329881 bytes
->Temporary Internet Files folder emptied: 10879008 bytes
->Java cache emptied: 553206 bytes
->FireFox cache emptied: 96769978 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 239253 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 970 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 12142 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5087 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 9955754 bytes

Total Files Cleaned = 114.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LILLY
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LILLY
->Java cache emptied: 0 bytes

User: LocalService
->Java cache emptied: 0 bytes

User: NetworkService
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.47.2 fix logfile created on 03282012_151119

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:25:02 PM, on 3/28/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LILLY\Desktop\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\LILLY\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.efax.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://portal.omm.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181342368703
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10054 bytes


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## NightOwl323 (Mar 20, 2012)

7-Zip 9.14 beta
A4Desk v6.41
ABBYY PDF Transformer 1.0
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe AIR
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bluetooth Stack for Windows by Toshiba
Bonjour
calibre
CameraHelperMsi
Canon MF Toolbox 4.9.1.1.mf11
Canon MF4500 Series
CD/DVD Drive Acoustic Silencer
Citrix ICA Web Client
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Desktop Dialer
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 6.0.6.0 (04/09/2009)
DVD-RAM Driver
eFax Messenger 4.1
erLT
ESET Online Scanner v3
Google Talk (remove only)
Google Talk Plugin
HandBrake 0.9.3
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP PSC & Officejet 4.2 Corporate Edition
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iTunes
J2SE Runtime Environment 5.0 Update 22
Java(TM) 6 Update 23
Lawgic
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes Anti-Malware version 1.60.1.1000
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mirar
mIWA
mLogView
mMHouse
Mozilla Firefox 11.0 (x86 en-US)
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia Samples
mWlsSafe
mXML
mZConfig
Netflix Movie Viewer
Office 2003 Trial Assistant
Otto
OverDrive Media Console
palmOne
Picasa 2
PrimoPDF
PrimoPDF Redistribution Package
QuickBooks Pro Edition 2004
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
RipIt4Me
SD Secure Module
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Simple Sticky Notes Version 1.3.3.2
Skype&#8482; 5.5
Sonic DLA
Sonic Encoders
Sonic RecordNow!
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Game Console
TOSHIBA Hotkey Utility
Toshiba Media Center Game Console
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
Toshiba Registration
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
VLC media player 1.1.11
Vuze
Vuze_Remote Toolbar
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Messenger
Your Uninstaller! 2010


----------



## Cookiegal (Aug 27, 2003)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 31*.
Select the option to download the *Windows 7, XP Offline* version 
Save the executable file to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with * Java Runtime Environment, JRE, J2SE or Java(TM)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download and follow the prompts to install the newest version.

These are the older versions of Java that you need to uninstall via the Control Panel/Add or Remove programs:

You should also uninstall P2P/torrent applications as they are the source of many infections:

Vuze

and also uninstall this:

Vuze_Remote Toolbar

How are things with the system now?


----------



## NightOwl323 (Mar 20, 2012)

Generally, the computer is performing sort of choppy, which is strange, but the problems associated with the virus infection seem to be gone and I'm thrilled to have the wifi back. Thank you so much.
Three concerns: 
First, my speaker disappearance persists. I'm attaching a screen shot of the error that I get. I think some of my "disinfecting" (probably before I contacted you) may have deleted something essential.
Second, there's a new icon in my tray at the bottom right of my screen. Unlike all the others, it doesn't give me any sort of information when I hover the mouse above it, and it's non-responsive to mouse clicking (right or left). I'm attaching a screen shot of that as well. It's the white box with the attached red circle with the line through it. I don't know what it is or if it's something I should be concerned about. 
Third, after uninstalling Spybot and Windows Defender, my computer continues to pop on at 2am every morning.

Thoughts?


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *- type in *devmgmt.msc* and click OK to open the Device Manager. Do you see any yellow alerts beside any of the devices listed there?


----------



## NightOwl323 (Mar 20, 2012)

Yes.
1. DVD/CD ROM Drives - (This is ok. My DVD hasn't worked for years)
2. Sound, Video, Game Controllers - All of the items are marked. Audio Codecs, Legacy Audio Drivers, Legacy Video Capture Devices, Media Control Devices, Realtek High Definition Audio, and Video Codecs.
3. VSO Devices. -- pcouffin device for 32 bits systems


----------



## NightOwl323 (Mar 20, 2012)

BTW: The error for the sound devices is "Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)"
For the VSO, it's "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)"
And for the DVD/CD, it's "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)"


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## NightOwl323 (Mar 20, 2012)

Under Applications, it looks like almost all the errors were with Bonjour Service, which I know is installed in my computer, but since I uninstalled itunes, I disabled Bonjour in the startup processes. I'm pasting al of the errors for the last 48 hours, but I've also pasted a few that are a couple days older. They're the only ones that were not Bonjour Service-related, so I thought you might want to see them. (System errors pasted below the application errors)

Application Events:

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 12:44:27 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 12:44:27 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 12:44:27 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 9:22:22 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2438

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 9:22:22 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2438

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 9:22:22 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:00:03 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 5437

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:00:03 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 5437

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:00:03 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/29/2012
Time: 2:11:43 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2156

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/29/2012
Time: 2:11:43 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2156

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/29/2012
Time: 2:11:43 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 9:37:10 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2421

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 9:37:10 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2421

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 9:37:10 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 3:27:24 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2563

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 3:27:24 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2563

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/28/2012
Time: 3:27:24 PM
User: N/A
Computer: LEVOFFLAPTOP
Description: 
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 3/26/2012
Time: 8:43:31 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Hanging application wuauclt.exe, version 7.4.7600.226, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 77 75 61 75 63 6c wuaucl
0018: 74 2e 65 78 65 20 37 2e t.exe 7.
0020: 34 2e 37 36 30 30 2e 32 4.7600.2
0028: 32 36 20 69 6e 20 68 75 26 in hu
0030: 6e 67 61 70 70 20 30 2e ngapp 0.
0038: 30 2e 30 2e 30 20 61 74 0.0.0 at
0040: 20 6f 66 66 73 65 74 20 offset 
0048: 30 30 30 30 30 30 30 30 00000000

Event Type: Error
Event Source: MPSampleSubmission
Event Category: None
Event ID: 5000
Date: 3/25/2012
Time: 3:39:07 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The description for Event ID ( 5000 ) in Source ( MPSampleSubmission ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mptelemetry, 80070424, beginsearch, search, 3.0.8402.0, mpsigdwn.dll, 3.0.8402.0, microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), NIL, NIL, NIL.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 38 00 30 00 30 00 .8.0.0.
0020: 37 00 30 00 34 00 32 00 7.0.4.2.
0028: 34 00 2c 00 20 00 62 00 4.,. .b.
0030: 65 00 67 00 69 00 6e 00 e.g.i.n.
0038: 73 00 65 00 61 00 72 00 s.e.a.r.
0040: 63 00 68 00 2c 00 20 00 c.h.,. .
0048: 73 00 65 00 61 00 72 00 s.e.a.r.
0050: 63 00 68 00 2c 00 20 00 c.h.,. .
0058: 33 00 2e 00 30 00 2e 00 3...0...
0060: 38 00 34 00 30 00 32 00 8.4.0.2.
0068: 2e 00 30 00 2c 00 20 00 ..0.,. .
0070: 6d 00 70 00 73 00 69 00 m.p.s.i.
0078: 67 00 64 00 77 00 6e 00 g.d.w.n.
0080: 2e 00 64 00 6c 00 6c 00 ..d.l.l.
0088: 2c 00 20 00 33 00 2e 00 ,. .3...
0090: 30 00 2e 00 38 00 34 00 0...8.4.
0098: 30 00 32 00 2e 00 30 00 0.2...0.
00a0: 2c 00 20 00 6d 00 69 00 ,. .m.i.
00a8: 63 00 72 00 6f 00 73 00 c.r.o.s.
00b0: 6f 00 66 00 74 00 20 00 o.f.t. .
00b8: 73 00 65 00 63 00 75 00 s.e.c.u.
00c0: 72 00 69 00 74 00 79 00 r.i.t.y.
00c8: 20 00 65 00 73 00 73 00 .e.s.s.
00d0: 65 00 6e 00 74 00 69 00 e.n.t.i.
00d8: 61 00 6c 00 73 00 20 00 a.l.s. .
00e0: 28 00 65 00 64 00 62 00 (.e.d.b.
00e8: 34 00 66 00 61 00 32 00 4.f.a.2.
00f0: 33 00 2d 00 35 00 33 00 3.-.5.3.
00f8: 62 00 38 00 2d 00 34 00 b.8.-.4.
0100: 61 00 66 00 61 00 2d 00 a.f.a.-.
0108: 38 00 63 00 35 00 64 00 8.c.5.d.
0110: 2d 00 39 00 39 00 37 00 -.9.9.7.
0118: 35 00 32 00 63 00 63 00 5.2.c.c.
0120: 61 00 37 00 30 00 39 00 a.7.0.9.
0128: 34 00 29 00 2c 00 20 00 4.).,. .
0130: 4e 00 49 00 4c 00 2c 00 N.I.L.,.
0138: 20 00 4e 00 49 00 4c 00 .N.I.L.
0140: 20 00 4e 00 49 00 4c 00 .N.I.L.
0148: 0d 00 0a 00 ....

Event Type: Error
Event Source: MPSampleSubmission
Event Category: None
Event ID: 5000
Date: 3/25/2012
Time: 3:35:09 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The description for Event ID ( 5000 ) in Source ( MPSampleSubmission ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: mptelemetry, 80070424, beginsearch, search, 3.0.8402.0, mpsigdwn.dll, 3.0.8402.0, microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), NIL, NIL, NIL.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 38 00 30 00 30 00 .8.0.0.
0020: 37 00 30 00 34 00 32 00 7.0.4.2.
0028: 34 00 2c 00 20 00 62 00 4.,. .b.
0030: 65 00 67 00 69 00 6e 00 e.g.i.n.
0038: 73 00 65 00 61 00 72 00 s.e.a.r.
0040: 63 00 68 00 2c 00 20 00 c.h.,. .
0048: 73 00 65 00 61 00 72 00 s.e.a.r.
0050: 63 00 68 00 2c 00 20 00 c.h.,. .
0058: 33 00 2e 00 30 00 2e 00 3...0...
0060: 38 00 34 00 30 00 32 00 8.4.0.2.
0068: 2e 00 30 00 2c 00 20 00 ..0.,. .
0070: 6d 00 70 00 73 00 69 00 m.p.s.i.
0078: 67 00 64 00 77 00 6e 00 g.d.w.n.
0080: 2e 00 64 00 6c 00 6c 00 ..d.l.l.
0088: 2c 00 20 00 33 00 2e 00 ,. .3...
0090: 30 00 2e 00 38 00 34 00 0...8.4.
0098: 30 00 32 00 2e 00 30 00 0.2...0.
00a0: 2c 00 20 00 6d 00 69 00 ,. .m.i.
00a8: 63 00 72 00 6f 00 73 00 c.r.o.s.
00b0: 6f 00 66 00 74 00 20 00 o.f.t. .
00b8: 73 00 65 00 63 00 75 00 s.e.c.u.
00c0: 72 00 69 00 74 00 79 00 r.i.t.y.
00c8: 20 00 65 00 73 00 73 00 .e.s.s.
00d0: 65 00 6e 00 74 00 69 00 e.n.t.i.
00d8: 61 00 6c 00 73 00 20 00 a.l.s. .
00e0: 28 00 65 00 64 00 62 00 (.e.d.b.
00e8: 34 00 66 00 61 00 32 00 4.f.a.2.
00f0: 33 00 2d 00 35 00 33 00 3.-.5.3.
00f8: 62 00 38 00 2d 00 34 00 b.8.-.4.
0100: 61 00 66 00 61 00 2d 00 a.f.a.-.
0108: 38 00 63 00 35 00 64 00 8.c.5.d.
0110: 2d 00 39 00 39 00 37 00 -.9.9.7.
0118: 35 00 32 00 63 00 63 00 5.2.c.c.
0120: 61 00 37 00 30 00 39 00 a.7.0.9.
0128: 34 00 29 00 2c 00 20 00 4.).,. .
0130: 4e 00 49 00 4c 00 2c 00 N.I.L.,.
0138: 20 00 4e 00 49 00 4c 00 .N.I.L.
0140: 20 00 4e 00 49 00 4c 00 .N.I.L.
0148: 0d 00 0a 00 ....

_________________________________________________________________________________
SYSTEM EVENTS

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7003
Date: 3/28/2012
Time: 3:16:31 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Intel(R) PROSet/Wireless Service service depends on the following nonexistent service: s24trans

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The TOSHIBA Application Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Swupdtmr service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Process Monitor service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Intel(R) PROSet/Wireless Registry Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The DVD-RAM_Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:20 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:19 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:19 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The ConfigFree Service service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 3/28/2012
Time: 3:11:19 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 3/28/2012
Time: 3:11:19 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Intel(R) PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 3/28/2012
Time: 3:10:00 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0018DE07369D. The following error occurred: 
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


----------



## Cookiegal (Aug 27, 2003)

Are you still able to connect to the Internet wirelessly without any problems?


----------



## NightOwl323 (Mar 20, 2012)

Yes


----------



## Cookiegal (Aug 27, 2003)

Let me check into a few things and I'll post back tomorrow. I had minor surgery today, it's painful and I'm very tired so I'm taking it easy tonight.


----------



## NightOwl323 (Mar 20, 2012)

Please take your time. Get lots of rest and feel better soon!


----------



## Cookiegal (Aug 27, 2003)

Thanks.


----------



## Cookiegal (Aug 27, 2003)

There are a couple of things I'd like to investigate.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
s24trans.*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

Also, please locate the following log, open it with Notepad and copy and paste the contents here.

C:\Qoobox\ComboFix-quarantined-files.txt


----------



## NightOwl323 (Mar 20, 2012)

Dear CookieGal,
I hope you're feeling better? You sure got back to me quickly! I didn't expect to hear from you for a few days.
I've followed the steps you requested and pasted the results below. I'm not sure which issue you're looking into, but I'd like to update you.
I've resolved the error codes in the Device Manager for the DVD/CD and the speakers. I deleted the upper and lower filters registry values, which got everything working, but slowly and with choppiness. 
I've since resolved the choppiness of the running of the DVD and speakers, as well as of my computer's operations generally. It turned out my drives were operating in PIO mode instead of DMA mode. I ran a VB script I found to reset the mode. When I rebooted, I was running in Ultra DMA, and now everything is running super zippy. 
So the remaining issue really is the computer popping on at 2am every morning. 
__________________________________________________________________________________
SYSTEMLOOK LOG:

ISystemLook 30.07.11 by jpshortstuff
Log created at 02:05 on 01/04/2012 by LILLY
Administrator - Elevation successful

========== filefind ==========

Searching for "s24trans.*"
C:\WINDOWS\inf\S24Trans.inf --a---- 7017 bytes [21:20 02/12/2005] [21:20 02/12/2005] F4FABD8BB3BA4846DE1471B1493EAADB
C:\WINDOWS\inf\S24Trans.PNF --a---- 12020 bytes [20:56 15/10/2006] [20:56 15/10/2006] EC4911B487D81E87214A650C537235F3

-= EOF =-

__________________________________________________________________________________
C:\Qoobox\ComboFix-quarantined-files.txt

2012-03-26 19:53:04 . 2012-03-26 19:53:04 3,418 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NecUsb3.reg.dat
2012-03-26 19:53:04 . 2012-03-26 19:53:04 2,416 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_icblpmis.reg.dat
2012-03-26 19:53:04 . 2012-03-26 19:53:04 2,416 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_dfxdjgso.reg.dat
2012-03-26 19:53:03 . 2012-03-26 19:53:03 1,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NECUSB3.reg.dat
2012-03-26 19:40:58 . 2012-03-26 19:40:58 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2012-03-25 23:43:55 . 2012-03-25 23:43:55 2,128 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{1B758D8A-B999-45AD-B7AA-14D10FDC19D2}_is1.reg.dat
2012-03-25 23:43:36 . 2012-03-25 23:43:36 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-89181721.sys.reg.dat
2012-03-25 23:15:14 . 2012-03-25 23:15:14 218 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\_851918141_.zip
2012-03-25 23:12:48 . 2012-03-26 19:52:40 12,302 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-03-25 22:43:08 . 2012-03-26 19:38:26 798 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-03-18 08:56:20 . 2012-03-18 08:56:20 760 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\10020.txt.vir
2012-03-18 08:55:23 . 2012-03-18 10:35:31 72 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\mru.xml.vir
2012-03-18 08:54:17 . 2012-03-18 08:54:17 2,009 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\2229.txt.vir
2012-03-18 07:07:50 . 2012-03-18 08:58:41 259 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\oemid.vir
2012-03-17 07:46:22 . 2012-03-17 07:46:22 38,400 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\USB3Sw32.dll.vir
2012-03-17 07:36:09 . 2012-03-18 06:45:52 864 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\version.vir
2012-03-17 07:36:01 . 2012-03-18 06:45:52 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dds_trash_log.cmd.vir
2012-03-17 07:34:26 . 2012-03-18 09:13:05 170 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\cfg.ini.vir
2012-03-17 07:34:25 . 2012-03-17 07:34:25 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\@.vir
2012-03-17 07:34:25 . 2012-03-17 07:34:25 162,816 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\L\pavtnywh.vir
2012-03-17 07:34:25 . 2012-03-18 06:45:45 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\Desktop.ini.vir
2012-03-15 07:51:37 . 2012-03-17 07:36:00 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2012-03-14 15:02:46 . 2012-03-14 15:02:46 53,324 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\wlu.txt.vir
2012-03-08 16:49:19 . 2012-03-17 07:36:08 96,256 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2012-02-10 12:03:04 . 2012-03-17 07:36:01 66,560 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2012-01-09 10:04:58 . 2012-01-09 10:04:58 3,749 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\1.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 20,362 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\a.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 22,747 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\b.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 23,856 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\c.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 14,514 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\d.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 15,076 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\e.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 11,094 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\f.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 11,657 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\g.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 10,036 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\h.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 7,695 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\i.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 4,789 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\j.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 6,050 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\k.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 12,333 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\l.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 19,801 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\m.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 6,997 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\n.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 7,715 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\o.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 18,099 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\p.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 898 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\q.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 8,049 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\r.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 34,402 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\s.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 18,804 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\t.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 3,968 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\u.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 5,756 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\v.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 7,752 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\w.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 664 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\x.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 1,912 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\y.txt.vir
2012-01-09 10:04:58 . 2012-01-09 10:04:58 1,876 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\PriceGong\Data\z.txt.vir
2011-12-02 12:07:49 . 2012-03-17 07:36:02 224,768 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2011-11-29 13:10:08 . 2012-03-17 07:36:00 12,800 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2011-11-02 17:48:14 . 2012-03-17 07:36:00 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB2866$\353902122\U\[email protected]
2011-07-27 03:46:12 . 2011-07-27 03:46:12 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\iqvowwjfac.tmp.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 771 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 1,672 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\04hquq87.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 771 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 1,672 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LILLY\Application Data\Mozilla\Firefox\Profiles\68mnu47b.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 771 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\install.rdf.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 1,672 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\chrome\xulcache.jar.vir
2011-07-26 20:09:12 . 2011-07-27 03:46:42 256 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\ushz3dft.default\extensions\{3007c2fb-98a6-427f-8e11-401711ae4d6e}\defaults\preferences\xulcache.js.vir
2006-12-29 22:51:48 . 2006-12-29 22:52:13 18,031 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\dasetup.log.vir
2006-05-13 23:08:49 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir


----------



## Cookiegal (Aug 27, 2003)

Yes, I'm still not 100% but I'm feeling better. Heck, I wasn't 100% before so that would be wishful thinking.  Thanks. 

Anyway, since you've rectified some issues I'd like you to post any new errors under both Application and System in the Event Viewer that have occurred since then only so I can see what still needs to be addressed.

Also, I'd like to investigate a possible false positive so please do the following:

Please go to *VirusTotal* and upload the following file for scanning.

Click *Browse*
Copy and paste the contents of the following code box into the text box next to *File name:* then click *Open* 

```
C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
```

Click *Send File*
If confronted with two options, choose *Reanalyse file now*
Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.


----------



## NightOwl323 (Mar 20, 2012)

Below are all the application errors since the last ones I sent you. They are all Bonjour Service. (Can I just uninstall that application if I don't have itunes on this computer?) There were NO system errors since the last ones I sent. The VirusTotal scan URL is:
https://www.virustotal.com/file/fdc...fa80a5e6bff7b71579fe995c/analysis/1333351583/

I did the "reanalyze" as you requested, but for some reason it says the scan is almost 5 days old. Weird? 
Any thoughts on what the 2am deal is?

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 4/1/2012
Time: 3:31:44 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2407

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 4/1/2012
Time: 3:31:44 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2407

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 4/1/2012
Time: 3:31:44 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/31/2012
Time: 2:11:49 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2235

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/31/2012
Time: 2:11:49 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2235

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/31/2012
Time: 2:11:49 AM
User:  N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:15:58 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:15:58 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:15:58 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:02:59 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2343

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:02:59 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2343

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 7:02:59 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:34:22 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledSPRetry 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:34:22 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: m->NextScheduledEvent 2422

Event Type: Error
Event Source: Bonjour Service
Event Category: None
Event ID: 100
Date: 3/30/2012
Time: 2:34:22 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Task Scheduling Error: Continuously busy for more than a second


----------



## Cookiegal (Aug 27, 2003)

It looks like it could be the Bonjour Service that's responsible for waking the computer at 2:00 a.m. I would go ahead and uninstall it.

I would also like you to upload a file to the developer of ComboFix for analysis please.

Please go *Here* and enter the URL to this thread beside *Link to topic where this file was requested:*

Then click on *Browse* and locate the following file on your computer:

C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir

Select the file and click OK. Then click on *Send File*.


----------



## NightOwl323 (Mar 20, 2012)

OK. I did both. My research indicates that Bonjour can be difficult to uninstall and is usually not in the control panel. But I found it there and uninstalled it. Don't really know how to check if it's a complete uninstall or if there are hidden running files, but I'll check the event log in 24 hours or so. And I'll let you know what happens at 2am today. ;-)

Should I expect a response from Bleeping Computer? Or is this more of a public service?

Any further steps?


----------



## Cookiegal (Aug 27, 2003)

Did you reboot after uninstalling? If not, be sure to do so as it's often necessary to clear some files.

No, they will not respond where you uploaded the file. I'm in touch with the developer of ComboFix and I'm checking on the integrity of that file.

Let me know if you still get the 2:00 wake up call.


----------



## Cookiegal (Aug 27, 2003)

The file I had you upload was a false positive so we'll now restore it to its original location.

Open Notepad and copy and paste the text in the code box below into it:


```
DEQUARANTINE::
C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
QUIT::
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe










This will start ComboFix again. It shouldn't take long as we are just retoring the file without running another scan.

Once it's finished, please confirm that this file exists in this location:

C:\WINDOWS\kb913800.exe


----------



## NightOwl323 (Mar 20, 2012)

I ran ComboFix as you requested. The program appeared to work, but then it told me my Combofix was out of date. I chose to exit. C:\Windows\kb913800 exists as a txt file along with tons of other "kb" text files. There's wasn't an exe file though.


----------



## Cookiegal (Aug 27, 2003)

Either run it again and allow ComboFix to update or delete the one you have by dragging it to the Recycle Bin and downloading it again.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


----------



## NightOwl323 (Mar 20, 2012)

I re-ran it. Looks like it's back in C: although it's also still in the Quarantined folder. It must have kept a copy?


----------



## Cookiegal (Aug 27, 2003)

You mean in C:\Windows, right?

The quarantine report is only a text file so it will still show there but ComboFix would not retain a copy of the file once it's dequarantined.

How are things with this machine now? Are any problems remaining?


----------



## NightOwl323 (Mar 20, 2012)

Hi Cookiegal,
So sorry for the delay. I came down with the flu and ave been off the computer for several days.

The machine is working super!! And the mightly wake-up calls have finally ended! Thanks goodness. You're amazing! 

How do we close this out? Do I delete everything I saved and/or downloaded for you?
Is there one antivirus program that you recommend for real-time monitoring? I have avoided them because they tend to be so disruptive and conflict with so many programs, but you think there's one that's particularly good, I'd appreciate the recommendation.


----------



## Cookiegal (Aug 27, 2003)

I'm sorry to hear that you've been sick and hope you're feeling better now.

Would you please post a final HijackThis log so I can see if anything needs to be addressed there?

These can all be removed by dragging them to the Recycle Bin:

DDS
GMER (the file ue5yq2hi.exe that should be on your desktop)
Aswmbr
OTS
System Look

But we have specific instructions for uninstalling ComboFix and I'll post that with my final instructions after I see a new HijackThis log.

I prefer Eset Smart Security or Kaspersky Internet Security but find the former a little lighter on the system. Those are not free though but among the free ones Avast and Avira are pretty good.


----------



## NightOwl323 (Mar 20, 2012)

Below is the HijackThis log you requested.
I've deleted everything you permitted, but am left with (other than Combofix) the WindowsXP BootDisk file and the Jabra update (installer)? Can I delete those as well?
And do you know what the weird new icon is on my taskbar? (I'm attaching the screenshot). It's the white square with the red circle through the lower right corner. It's not clickable and only appeared about a week before I started this thread. I would do a google search, but not sure how to do that without knowing what it is. 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:42:24 AM, on 4/12/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\LILLY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10w_Plugin.exe -update plugin
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.efax.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://portal.omm.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181342368703
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10062 bytes


----------



## NightOwl323 (Mar 20, 2012)

oops. I meant JAVA, not Jabra. Sorry.


----------



## Cookiegal (Aug 27, 2003)

If you boot to safe mode, does that still appear in the task bar?


----------



## NightOwl323 (Mar 20, 2012)

Hi Cookiegal,
No, the icon does not appear in Safe Mode. In Sade Mode, there were no icons at all. Only the clock.

I WAS just awakened with the computer popping on again. 2AM, right on the dot. Grrr.
I opened the event viewer right away so I could track what was happening. I checked, and I see some of these entries have happened around 2am before. Any thoughts?
Here's everything that happened since 2AM.

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4202
Date: 4/15/2012
Time: 2:00:00 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter Intel(R) PRO/Wireless 3945ABG Network Connection was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: E100B
Event Category: None
Event ID: 19
Date: 4/15/2012
Time: 2:00:01 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Intel(R) PRO/100 VE Network Connection driver has been started
Data:
0000: 00 00 04 00 02 00 58 00 ......X.
0008: 00 00 00 00 13 00 04 40 [email protected]
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 13 00 04 40 [email protected]

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/15/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter Intel(R) PRO/Wireless 3945ABG Network Connection was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 4/15/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Windows Image Acquisition (WIA) service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/15/2012
Time: 2:00:07 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter Intel(R) PRO/Wireless 3945ABG Network Connection was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


----------



## Cookiegal (Aug 27, 2003)

Let's try this:

Go to *Start *- *Run *- type in *cmd *and click OK.

At the command prompt type in:

*netsh winsock reset catalog*

Press enter.

then type in:

*netsh int ip reset resetlog.txt*

Press enter.

You will need to reboot afterwards.

Then let me know if you still have this problem at 2:00 a.m. You may have to update the driver for your wireless adapter or we can uninstall and reinstall TCPIP. Something is causing the connection to time out at 2:00 a.m. It could be something is wrong with the configuration.


----------



## NightOwl323 (Mar 20, 2012)

Did as you requested. Computer still came on at 2am.
Here's the the event viewer log from today's activation.

Event Type: Information
Event Source: E100B
Event Category: None
Event ID: 19
Date: 4/16/2012
Time: 2:00:01 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Intel(R) PRO/100 VE Network Connection driver has been started
Data:
0000: 00 00 04 00 02 00 58 00 ......X.
0008: 00 00 00 00 13 00 04 40 [email protected]
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 13 00 04 40 [email protected]

Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1009
Date: 4/16/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
A network error occurred when trying to send a message. The error code is: An operation was attempted on something that is not a socket. .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 36 27 00 00 6'..

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4202
Date: 4/16/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter Intel(R) PRO/Wireless 3945ABG Network Connection was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/16/2012
Time: 2:00:15 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter Intel(R) PRO/Wireless 3945ABG Network Connection was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 4/16/2012
Time: 2:00:19 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Windows Image Acquisition (WIA) service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## NightOwl323 (Mar 20, 2012)

I also tried "update driver" for the wireless card under the device manager, but the computer indicated that there was no more current driver available.


----------



## Cookiegal (Aug 27, 2003)

1. Locate the file - *C:\Windows\inf\nettcpip.inf*
 It's important that you first make a copy of the file for backup purposes. Right-click the file and select "copy", then right-click in an empty space on your desktop and select "paste" to drop the copy of the file there.
 Once you have done that, use Notepad to open the original file for editing.










2. Locate the *[MS_TCPIP.PrimaryInstall]* section.

3. Edit the *Characteristics = 0xA0* entry and replace 0xA0 with 0x80.










4. Save the file, and then exit Notepad.










5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select *Properties*.

















6. On the *General *tab, click *Install*, select *Protocol*, and then click *Add*.










7. In the Select *Network Protocols* window, click *Have Disk*.










8. In the Copy manufacturers files from: text box, type *c:\windows\inf*, and then click *OK*.










9. Select *Internet Protocol (TCP/IP)*, and then click *OK*.










Note: This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select *Internet Protocol (TCP/IP)*, click *Uninstall*, and then click *Yes*.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP 










Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP (in step 10 click on "Install").


----------



## NightOwl323 (Mar 20, 2012)

The last step in the reinstall went a little differently than your instructions, but I assume, since I got back my internet, I installed it correctly? 
I'll let you know how 2am goes tonight.
As an aside, as a fellow woman working in a male-dominated industry, I just feel compelled to tell you that you rock! It's so nice to deal with a technologically savvy woman.


----------



## NightOwl323 (Mar 20, 2012)

Hi CookieGal,
So the computer started at 2am again. I pasted all the events again from 2am below. But I also looked at what preceded it. Strange but the event below (the first one pasted) appears 42 times between 12:21 - 12:28 am. Looks like this happened yesterday too. This might be something new since I uninstalled and re-installed TCPIP. Anyway, here's all the info. As always, thanks for your help.

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/19/2012
Time: 11:52:48 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter \DEVICE\TCPIP_{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3} was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

_________________________________________________________________________________
Events beginning with 2am

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4202
Date: 4/20/2012
Time: 2:00:00 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter \DEVICE\TCPIP_{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: E100B
Event Category: None
Event ID: 19
Date: 4/20/2012
Time: 2:00:01 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Intel(R) PRO/100 VE Network Connection driver has been started
Data:
0000: 00 00 04 00 02 00 58 00 ......X.
0008: 00 00 00 00 13 00 04 40 [email protected]
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 13 00 04 40 [email protected]

Event Type: Warning
Event Source: BROWSER
Event Category: None
Event ID: 8021
Date: 4/20/2012
Time: 2:00:04 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The browser was unable to retrieve a list of servers from the browser master \\LEVOFFDESKTOP on the network \Device\NetBT_Tcpip_{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3}. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: cf 04 00 00 Ï...

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/20/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter \DEVICE\TCPIP_{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3} was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 4/20/2012
Time: 2:00:05 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Windows Image Acquisition (WIA) service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 4/20/2012
Time: 2:00:07 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The system detected that network adapter \DEVICE\TCPIP_{D484A55B-A6C8-4FFF-86AC-4AA88FCDDAF3} was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 [email protected]
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 4/20/2012
Time: 2:00:27 AM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The time service is now synchronizing the system time with the time source time.windows.com (ntp.m|0x1|192.168.2.5:123->65.55.21.13:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

I would try updating the driver by downloading the first one at the following link (it's the 32-bit version):

http://downloadcenter.intel.com/Det...OSFullname=Windows+XP++Professional*&lang=eng

After installing that let me know tomorrow if there are still similar events in the Event Viewer around 2:00 a.m. (or a bit before).

So I assume you leave the computer on all night? Is it connected or not during this time?


----------



## NightOwl323 (Mar 20, 2012)

I tried to install the driver, but got the following message:
"The installed version of Intel PROset is not supported for upgrades. You must uninstall it before you install this version."
I was going to uninstall it in the Device Manager, but I was concerned that I might uninstall the wrong thing. Can you confirm what I'm uninstalling exactly? Is it under the device manager for "network adapters?" And if it is, of the three items, two are Intel PRO items. For which one do I uninstall the driver. (Feeling a little stupid here)


----------



## Cookiegal (Aug 27, 2003)

Can you post a screenshot of what you're seeing in the Device Manager for the network adapter please?


----------



## NightOwl323 (Mar 20, 2012)

Here's the screenshot. Computer seems to restart at 12:15 am and at 2 am now. Checked the event viewer, and the events are the same as I've posted before.
No, this computer is not on all night. It's a laptop, so I close it and it goes into standby. If I do a proper complete shutdown, it does not start at 2am. I'm not positive about hibernate mode, but I'm pretty sure it doesn't start then either. This laptop is connected, via wireless router, to my desktop, which IS on 24 hours a day. (Well, it's connected in theory. The wireless is working, but since the infection and our cleaning, I haven't been able to reestablish a connection to the network path I had set up.)


----------



## Cookiegal (Aug 27, 2003)

Yes, that's right. It's the one in the middle:

Intel® PRO/100 VE Network Connection


----------



## NightOwl323 (Mar 20, 2012)

I uninstalled the driver and restarted the computer. When it rebooted, it automatically installed driver software and had me reboot again. I have no way of knowing if it installed the driver I downloaded at your request, or if it installed whatever driver software was already sitting on my machine. I tried installing the downloaded one again just in case, and as expected, it didn't let me. Does it matter? Is there a way to check?


----------



## Cookiegal (Aug 27, 2003)

Double-click the driver in Device Manager and another screen will open up. Click on the Driver Tab and then on the button that says Driver Details. What is the file version there?


----------



## NightOwl323 (Mar 20, 2012)

8.0.21.0101
There are actually 6 driver files listed under that tab. The first, though, is under the DRIVERS sub-folder inside C:\\WINDOWS\System32, and that's the one I listed. 
The rest are directly in the system32 folder


----------



## NightOwl323 (Mar 20, 2012)

Looks like you had me download version 17. So do I need to delete the driver from the drivers folder so it can't be reinstalled upon reboot?


----------



## Cookiegal (Aug 27, 2003)

I've asked for some assistance from my fellow moderators on this as hardware is not really my "thang".


----------



## Triple6 (Dec 26, 2002)

This really sounds like there is a task set to run at those times; either in Task Scheduler or in the BIOS of the laptop.

Open Task Scheduler, then go to View and click on Show Hidden Tasks.

What are the tasks listed?


----------



## TerryNet (Mar 23, 2005)

Download the ethernet and wireless drivers from the laptop manufacturer's web site. If they are .exe files (such as HP and Dell typically supply) just run them and they will each self-extract and self-install the driver. If they are not .exe files, what kind are they?


----------



## NightOwl323 (Mar 20, 2012)

Thanks for your help everybody!
Cookiegal, you were amazing. Truly. What are the final steps with the virus clean-up? Do I just uninstall Combofix and Delete Hijack This?


----------



## Cookiegal (Aug 27, 2003)

Was there a scheduled task or was it reinstalling the drivers that fixed it? I know we addressed the scheduled tasks early on in this thread.

Would you please post a final HijackThis so I can see if anything needs to be addressed there and then I'll post final instructions, including removing the tools we used.


----------



## NightOwl323 (Mar 20, 2012)

It was a scheduled task. When you found them before, I uninstalled the software. I didn't realize that uninstalling the program doesn't delete the tasks. So Stupid. What's the point in leaving tasks that can't run? LOL

So everything else is great. Thanks so much. Here's the latest log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:03:46 PM, on 5/4/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\LILLY\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\LILLY\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10w_Plugin.exe -update plugin
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://www.efax.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://portal.omm.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181342368703
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10501 bytes


----------



## Cookiegal (Aug 27, 2003)

Nah, I should have had you go back in there and check for leftover scheduled tasks. 

But everything looks fine now.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the */uninstall*, it needs to be there (the screenshot is just for illustration purposes but the actual command uses the entire word "uninstall" and not just the "u" as shown in the picture).










Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

***

You should trim down your start-ups (these show as the 04 entries in your HijackThis log) as there are too many running. You can research them at these sites and if they arent required at start-up then you can uncheck them in msconfig via Start - Run - type msconfig click OK and then click on the start-up tab.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/


----------



## NightOwl323 (Mar 20, 2012)

Hey. BeFore I do this. Can you look at 
forums.techguy.org/hardware/1053909-psychotic-possessed-keyboard.html#post8358261
To be sure this is not a virus issue? Eset Finds nothing and neither does Malwarebytes Anti-Malware.
Thanks and so sorry I'm such a pain!


----------



## Cookiegal (Aug 27, 2003)

Remove the version of ComboFix that you have by dragging it to the Recycle Bin and then grab the latest version, disable security programs and run a new scan then post the log.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## NightOwl323 (Mar 20, 2012)

log attacved[


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## NightOwl323 (Mar 20, 2012)

Application:

Event Type: Error
Event Source: crypt32
Event Category: None
Event ID: 8
Date: 5/24/2012
Time: 9:27:59 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 5/24/2012
Time: 9:06:46 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
Hanging application firefox.exe, version 12.0.0.4493, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 66 69 72 65 66 6f firefo
0018: 78 2e 65 78 65 20 31 32 x.exe 12
0020: 2e 30 2e 30 2e 34 34 39 .0.0.449
0028: 33 20 69 6e 20 68 75 6e 3 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at 
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000

System:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7003
Date: 5/24/2012
Time: 10:01:02 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Intel(R) PROSet/Wireless Service service depends on the following nonexistent service: s24trans

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 5/24/2012
Time: 9:21:00 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Swupdtmr service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 5/24/2012
Time: 9:17:52 PM
User: N/A
Computer: LEVOFFLAPTOP
Description:
The Process Monitor service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
s24trans.*
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## NightOwl323 (Mar 20, 2012)

SystemLook 30.07.11 by jpshortstuff
Log created at 22:36 on 26/05/2012 by LILLY
Administrator - Elevation successful

========== filefind ==========

Searching for "s24trans.*"
C:\WINDOWS\inf\S24Trans.inf --a---- 7017 bytes [21:20 02/12/2005] [21:20 02/12/2005] F4FABD8BB3BA4846DE1471B1493EAADB
C:\WINDOWS\inf\S24Trans.PNF --a---- 12020 bytes [20:56 15/10/2006] [20:56 15/10/2006] EC4911B487D81E87214A650C537235F3

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Are you having problems with your wireless connection?


----------



## NightOwl323 (Mar 20, 2012)

I haven't had any trouble connecting, but my connection has been dramatically slower lately. Don't know if that's related.


----------



## Cookiegal (Aug 27, 2003)

I ask because of this error:

The Intel(R) PROSet/Wireless Service service depends on the following nonexistent service

Are you perhaps using some other type of wireless adapter?


----------



## NightOwl323 (Mar 20, 2012)

Nope. I haven't changed anything in years. 
So looks like keyboard issue not a virus, right? Am I reading the log right? Is it time for my laptop to retire? Lol


----------



## Cookiegal (Aug 27, 2003)

I don't think it's a virus issue. Perhaps try a repair install?


----------



## NightOwl323 (Mar 20, 2012)

I just wanted to eliminate virus as a possibility. Thanks so much.
shall I do all the final uninstalls now to close this out? You must be fed up with me by now. Lol


----------



## Cookiegal (Aug 27, 2003)

You're welcome. Yes, please do. Not fed up at all.


----------



## NightOwl323 (Mar 20, 2012)

All done! I'll mark the topic "solved." Just wanted to tell you again that you have been amazing! I'm so grateful for this service and for all your time, patience, and amazing skills. I hope never to need your help again , but I'm so deprived to know that you all are here in a pinch. Best wishes to you and yours.


----------



## NightOwl323 (Mar 20, 2012)

Relieved.... not deprived. (Darn autocorrect)


----------



## Cookiegal (Aug 27, 2003)

NightOwl323 said:


> Relieved.... not deprived. (Darn autocorrect)


Ha! I was wondering about that. 

It was my pleasure (deprived or not).


----------

