Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Virus Keeps Coming Back  (Read 6557 times)

0 Members and 1 Guest are viewing this topic.

jjcoolbud

    Topic Starter


    Rookie

    Virus Keeps Coming Back
    « on: November 20, 2011, 07:38:33 PM »
    I have a Toshiba laptop that back in March I had a virus and went to to a local PC store and had the virus removed.  A few months later the virus came back and I had a friend remove that virus and all was well for about a week when the virus came back once again and was removed and seems to be removed right now.  I am afraid this is going to happen again and want to know if you can check the HiJack This log here to tell me if there is something seen that I am not able to identify as a virus.  I did use the self help scan tool but I dont really know what I am looking at.  The scan is here http://www.computerhope.com/cgi-bin/process.pl?o=20192628.

    I run McAffee AV on this laptop along with MalWareBytes and MS Windows Defender.  I did updates and scans to each one of them 2 nights ago both in normal mode and in safe mode and none of them are returning any bad files, however, I am reluctant as this has happened three times now.  I am wondering if there is a hidden rootkit file that the softwares are not picking.

    I run the following system:


    OS Name   Microsoft® Windows Vista™ Home Premium
    Version   6.0.6002 Service Pack 2 Build 6002
    Other OS Description    Not Available
    OS Manufacturer   Microsoft Corporation
    System Name   CHARLENE-PC
    System Manufacturer   TOSHIBA
    System Model   Satellite A305
    System Type   X86-based PC
    Processor   Intel(R) Core(TM)2 Duo CPU     T5800  @ 2.00GHz, 2000 Mhz, 2 Core(s), 2 Logical Processor(s)
    BIOS Version/Date   INSYDE 1.50, 8/21/2008
    SMBIOS Version   2.4
    Windows Directory   C:\Windows
    System Directory   C:\Windows\system32
    Boot Device   \Device\HarddiskVolume2
    Locale   United States
    Hardware Abstraction Layer   Version = "6.0.6002.18005"
    User Name   Charlene-PC\Charlene
    Time Zone   Eastern Standard Time
    Installed Physical Memory (RAM)   3.00 GB
    Total Physical Memory   2.87 GB
    Available Physical Memory   2.02 GB
    Total Virtual Memory   5.95 GB
    Available Virtual Memory   4.70 GB
    Page File Space   3.16 GB
    Page File   C:\pagefile.sys


    Anything you can do to help me is appreciated.

    Thanks

    SuperDave

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Thanked: 995
    • Certifications: List
    • Experience: Expert
    • OS: Windows 8
    Re: Virus Keeps Coming Back
    « Reply #1 on: November 20, 2011, 07:48:44 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *************************************************************************
    SUPERAntiSpyware

    If you already have SUPERAntiSpyware be sure to check for updates before scanning!


    Download SuperAntispyware Free Edition (SAS)
    * Double-click the icon on your desktop to run the installer.
    * When asked to Update the program definitions, click Yes
    * If you encounter any problems while downloading the updates, manually download and unzip them from here
    * Next click the Preferences button.

    •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
    * Click the Scanning Control tab.
    * Under Scanner Options make sure only the following are checked:

    •Close browsers before scanning
    •Scan for tracking cookies
    •Terminate memory threats before quarantining
    Please leave the others unchecked

    •Click the Close button to leave the control center screen.

    * On the main screen click Scan your computer
    * On the left check the box for the drive you are scanning.
    * On the right choose Perform Complete Scan
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK
    * Make sure everything in the white box has a check next to it, then click Next
    * It will quarantine what it found and if it asks if you want to reboot, click Yes

    •To retrieve the removal information please do the following:
    •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    •Click Preferences. Click the Statistics/Logs tab.

    •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

    •It will open in your default text editor (preferably Notepad).
    •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    *Copy and Paste the log in your post.
    ********************************************
    Please download Malwarebytes Anti-Malware from here.
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
    *************************************************
    Download DDS from HERE or HERE and save it to your desktop.

    Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    * XP users Double click on dds to run it.
    * If your antivirus or firewall try to block DDS then please allow it to run.
    * When finished DDS will open two (2) logs.
    * Save both reports to your desktop.
    * The instructions here ask you to attach the Attach.txt.



    1) DDS.txt
    2) Attach.txt
    Instead of attaching, please copy/past both logs into your Thread

    Note: DDS will instruct you to post the Attach.txt log as an attachment.
    Please just post it as you would any other log by copying and pasting it into the reply.

    •Close the program window, and delete the program from your desktop.

    Please note: You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.
    Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )
    Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

    jjcoolbud

      Topic Starter


      Rookie

      Re: Virus Keeps Coming Back
      « Reply #2 on: November 22, 2011, 06:27:43 AM »
      SD,

      Here are the log files you requested.

      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 11/21/2011 at 08:48 PM

      Application Version : 5.0.1136

      Core Rules Database Version : 7971
      Trace Rules Database Version: 5783

      Scan type       : Complete Scan
      Total Scan Time : 01:19:35

      Operating System Information
      Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
      UAC On - Limited User (Administrator User)

      Memory items scanned      : 761
      Memory threats detected   : 0
      Registry items scanned    : 37062
      Registry threats detected : 1
      File items scanned        : 199595
      File threats detected     : 10

      Adware.Tracking Cookie
         ad.yieldmanager.com [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         ad.yieldmanager.com [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .atdmt.com [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .atdmt.com [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .liveperson.net [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         server.iad.liveperson.net [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .liveperson.net [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .doubleclick.net [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         accounts.google.com [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
         .doubleclick.net [ C:\USERS\CHARLENE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

      System.BrokenFileAssociation
         HKCR\.exe






      Malwarebytes' Anti-Malware 1.51.2.1300
      www.malwarebytes.org

      Database version: 8213

      Windows 6.0.6002 Service Pack 2
      Internet Explorer 9.0.8112.16421

      11/22/2011 1:42:38 AM
      mbam-log-2011-11-22 (01-42-38).txt

      Scan type: Full scan (C:\|)
      Objects scanned: 322827
      Time elapsed: 2 hour(s), 16 minute(s), 18 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      (No malicious items detected)

      Registry Values Infected:
      (No malicious items detected)

      Registry Data Items Infected:
      (No malicious items detected)

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      (No malicious items detected)



      .
      DDS (Ver_2011-08-26.01) - NTFSx86
      Internet Explorer: 9.0.8112.16421
      Run by Charlene at 8:11:34 on 2011-11-22
      Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2939.1802 [GMT -5:00]
      .
      AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
      SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
      SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
      FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
      .
      ============== Running Processes ===============
      .
      C:\Windows\system32\wininit.exe
      C:\Windows\system32\lsm.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch
      C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
      C:\Windows\system32\svchost.exe -k rpcss
      C:\Windows\System32\svchost.exe -k secsvcs
      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
      C:\Windows\system32\svchost.exe -k netsvcs
      C:\Windows\system32\svchost.exe -k GPSvcGroup
      C:\Windows\system32\SLsvc.exe
      C:\Windows\system32\svchost.exe -k LocalService
      C:\Windows\system32\svchost.exe -k NetworkService
      C:\Windows\system32\WLANExt.exe
      C:\Windows\System32\spoolsv.exe
      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
      C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
      C:\Windows\system32\agrsmsvc.exe
      C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
      C:\Program Files\Bonjour\mDNSResponder.exe
      C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
      C:\Program Files\Intel\WiFi\bin\EvtEng.exe
      C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
      C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
      C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
      C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
      C:\Windows\system32\svchost.exe -k imgsvc
      C:\Windows\system32\rundll32.exe
      C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
      C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
      C:\Windows\system32\TODDSrv.exe
      C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
      C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
      C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
      C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
      C:\Windows\System32\svchost.exe -k WerSvcGroup
      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
      C:\Windows\system32\SearchIndexer.exe
      C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
      C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
      C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe
      C:\Windows\system32\Dwm.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\Explorer.EXE
      C:\Windows\system32\taskeng.exe
      C:\Windows\system32\taskeng.exe
      C:\Windows\System32\hkcmd.exe
      C:\Windows\System32\igfxpers.exe
      C:\Program Files\Toshiba\SmoothView\SmoothView.exe
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
      C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
      C:\Windows\system32\igfxsrvc.exe
      C:\Program Files\Common Files\Java\Java Update\jusched.exe
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Windows Media Player\wmpnscfg.exe
      C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
      C:\Users\Charlene\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
      C:\Program Files\Windows Media Player\wmpnetwk.exe
      C:\Windows\system32\wbem\unsecapp.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
      C:\Program Files\McAfee.com\Agent\mcagent.exe
      C:\Windows\system32\SearchProtocolHost.exe
      C:\Windows\system32\SearchFilterHost.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      .
      ============== Pseudo HJT Report ===============
      .
      uSearch Bar = Preserve
      uStart Page = hxxp://www.google.com/
      uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
      mStart Page = hxxp://www.toshibadirect.com/dpdstart
      mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
      uInternet Settings,ProxyOverride = *.local;<local>
      uInternet Settings,ProxyServer = http=127.0.0.1:50384
      uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
      BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
      BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111116193436.dll
      BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
      BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
      TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
      TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
      TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
      TB: {54BA686E-738F-42FE-BADD-D8CB7CFBC07E} - No File
      uRun: [Google Update] "c:\users\charlene\appdata\local\google\update\GoogleUpdate.exe" /c
      uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
      mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
      mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
      mRun: [Persistence] c:\windows\system32\igfxpers.exe
      mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
      mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
      mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
      mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
      mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
      mRun: [NDSTray.exe] NDSTray.exe
      mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
      mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
      mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
      StartupFolder: c:\users\charlene\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
      mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
      mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
      IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
      IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
      IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
      IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
      DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
      DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
      DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
      DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
      DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
      DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
      TCP: DhcpNameServer = 192.168.1.254 192.168.2.1
      TCP: Interfaces\{D10FDEFF-7A49-40B5-8D72-5A517D8C2E45} : DhcpNameServer = 192.168.1.254 192.168.2.1
      Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
      Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
      Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
      Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
      Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
      Notify: igfxcui - igfxdev.dll
      SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
      .
      ================= FIREFOX ===================
      .
      FF - ProfilePath - c:\users\charlene\appdata\roaming\mozilla\firefox\profiles\dofjlxqi.default\
      FF - prefs.js: browser.search.selectedEngine - Secure Search
      FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
      FF - prefs.js: network.proxy.http - 127.0.0.1
      FF - prefs.js: network.proxy.http_port - 50384
      FF - prefs.js: network.proxy.type - 1
      FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
      FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
      FF - plugin: c:\program files\microsoft\office live\npOLW.dll
      FF - plugin: c:\program files\mozilla firefox\extensions\[email protected]\plugins\npGameTapWebPlayer.dll
      FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
      FF - plugin: c:\users\charlene\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
      FF - Ext: GameTap: [email protected] - c:\program files\mozilla firefox\extensions\[email protected]
      FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
      FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
      FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
      FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
      .
      ============= SERVICES / DRIVERS ===============
      .
      R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 464176]
      R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-3-27 64880]
      R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-3-27 165680]
      R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
      R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
      R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
      R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
      R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
      R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-27 214904]
      R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-27 214904]
      R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-27 214904]
      R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-27 214904]
      R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-27 166288]
      R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-27 160608]
      R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2011-3-27 150856]
      R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 62776]
      R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
      R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-27 57600]
      R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-14 7168]
      R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-27 180816]
      R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-27 59456]
      R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-27 338176]
      R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-4-28 3658752]
      R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
      S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
      S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-2 135664]
      S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-3-28 39272]
      S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]
      S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-2 135664]
      S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-14 22216]
      S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-27 87656]
      S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-2-24 10112]
      S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
      S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
      S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-14 366152]
      S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-27 214904]
      .
      =============== Created Last 30 ================
      .
      2011-11-22 04:14:18   56200   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{518345a7-5913-44ec-aa93-cba0782b8eb7}\offreg.dll
      2011-11-22 00:40:06   6668624   ----a-w-   c:\programdata\microsoft\windows defender\definition updates\{518345a7-5913-44ec-aa93-cba0782b8eb7}\mpengine.dll
      2011-11-22 00:26:23   --------   d-----w-   c:\users\charlene\appdata\roaming\SUPERAntiSpyware.com
      2011-11-22 00:25:34   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
      2011-11-22 00:25:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2011-11-17 19:50:32   --------   d-----w-   c:\users\charlene\appdata\local\{DD8C1D12-A72F-45B2-8BDD-8EE0FB54CBD4}
      2011-11-17 19:35:14   388096   ----a-r-   c:\users\charlene\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
      2011-11-17 00:36:56   293376   ----a-w-   c:\windows\system32\psisdecd.dll
      2011-11-17 00:36:56   217088   ----a-w-   c:\windows\system32\psisrndr.ax
      2011-11-17 00:36:55   69632   ----a-w-   c:\windows\system32\Mpeg2Data.ax
      2011-11-17 00:36:54   57856   ----a-w-   c:\windows\system32\MSDvbNP.ax
      2011-11-17 00:36:51   2043392   ----a-w-   c:\windows\system32\win32k.sys
      2011-11-17 00:36:47   2409784   ----a-w-   c:\program files\windows mail\OESpamFilter.dat
      2011-11-17 00:36:23   905088   ----a-w-   c:\windows\system32\drivers\tcpip.sys
      2011-11-17 00:36:14   555520   ----a-w-   c:\windows\system32\UIAutomationCore.dll
      2011-11-17 00:36:14   238080   ----a-w-   c:\windows\system32\oleacc.dll
      2011-11-17 00:36:13   563712   ----a-w-   c:\windows\system32\oleaut32.dll
      2011-11-17 00:36:13   4096   ----a-w-   c:\windows\system32\oleaccrc.dll
      2011-11-17 00:35:47   707584   ----a-w-   c:\program files\common files\system\wab32.dll
      2011-11-17 00:34:36   28760   ----a-w-   c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
      .
      ==================== Find3M  ====================
      .
      2011-10-15 18:16:16   9608   ----a-w-   c:\windows\system32\drivers\mfeclnk.sys
      2011-10-15 18:16:16   87656   ----a-w-   c:\windows\system32\drivers\mferkdet.sys
      2011-10-15 18:16:16   64880   ----a-w-   c:\windows\system32\drivers\mfenlfk.sys
      2011-10-15 18:16:16   59456   ----a-w-   c:\windows\system32\drivers\mfebopk.sys
      2011-10-15 18:16:16   57600   ----a-w-   c:\windows\system32\drivers\cfwids.sys
      2011-10-15 18:16:16   464176   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
      2011-10-15 18:16:16   338176   ----a-w-   c:\windows\system32\drivers\mfefirek.sys
      2011-10-15 18:16:16   180816   ----a-w-   c:\windows\system32\drivers\mfeavfk.sys
      2011-10-15 18:16:16   165680   ----a-w-   c:\windows\system32\drivers\mfewfpk.sys
      2011-10-15 18:16:16   121256   ----a-w-   c:\windows\system32\drivers\mfeapfk.sys
      2011-09-01 02:35:59   1798144   ----a-w-   c:\windows\system32\jscript9.dll
      2011-09-01 02:28:15   1126912   ----a-w-   c:\windows\system32\wininet.dll
      2011-09-01 02:22:54   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
      2011-08-31 22:00:50   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2011-04-16 18:26:20   702464   ----a-w-   c:\program files\Uninstall Retrogamer.dll
      .
      ============= FINISH:  8:16:10.39 ===============


      .
      UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
      IF REQUESTED, ZIP IT UP & ATTACH IT
      .
      DDS (Ver_2011-08-26.01)
      .
      Microsoft® Windows Vista™ Home Premium
      Boot Device: \Device\HarddiskVolume2
      Install Date: 11/30/2010 11:21:15 PM
      System Uptime: 11/21/2011 11:13:51 PM (9 hours ago)
      .
      Motherboard: Intel Corp. |  | Base Board Product Name
      Processor: Intel(R) Core(TM)2 Duo CPU     T5800  @ 2.00GHz | CPU | 2000/800mhz
      .
      ==== Disk Partitions =========================
      .
      C: is FIXED (NTFS) - 297 GiB total, 258.12 GiB free.
      D: is CDROM ()
      .
      ==== Disabled Device Manager Items =============
      .
      ==== System Restore Points ===================
      .
      RP263: 11/17/2011 3:00:44 AM - Windows Update
      RP264: 11/17/2011 2:34:43 PM - Installed HiJackThis
      RP265: 11/21/2011 7:39:35 PM - Windows Update
      .
      ==== Installed Programs ======================
      .
       Update for Microsoft Office 2007 (KB2508958)
      2007 Microsoft Office system
      Adobe Flash Player 10 ActiveX
      Adobe Reader 8.2.0
      Amazon Links
      Apple Application Support
      Apple Mobile Device Support
      Apple Software Update
      Bluetooth Stack for Windows by Toshiba
      Bonjour
      Camera Assistant Software for Toshiba
      CCleaner
      CD/DVD Drive Acoustic Silencer
      CyberLink PowerCinema for TOSHIBA
      D3DX10
      DVD MovieFactory for TOSHIBA
      Google Chrome
      Google Update Helper
      HiJackThis
      Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
      Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
      Intel PROSet Wireless
      Intel(R) Graphics Media Accelerator Driver
      Intel(R) PROSet/Wireless WiFi Software
      Intel® Matrix Storage Manager
      iTunes
      Java Auto Updater
      Java(TM) 6 Update 22
      Java(TM) 6 Update 6
      Junk Mail filter update
      Malwarebytes' Anti-Malware version 1.51.2.1300
      McAfee SecurityCenter
      Microsoft .NET Framework 3.5 SP1
      Microsoft .NET Framework 4 Client Profile
      Microsoft Application Error Reporting
      Microsoft Office 2007 Service Pack 2 (SP2)
      Microsoft Office Access MUI (English) 2007
      Microsoft Office Access Setup Metadata MUI (English) 2007
      Microsoft Office Excel MUI (English) 2007
      Microsoft Office File Validation Add-In
      Microsoft Office Home and Student 2007
      Microsoft Office Live Add-in 1.3
      Microsoft Office OneNote MUI (English) 2007
      Microsoft Office Outlook Connector
      Microsoft Office Outlook MUI (English) 2007
      Microsoft Office PowerPoint MUI (English) 2007
      Microsoft Office Professional Hybrid 2007
      Microsoft Office Proof (English) 2007
      Microsoft Office Proof (French) 2007
      Microsoft Office Proof (Spanish) 2007
      Microsoft Office Proofing (English) 2007
      Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
      Microsoft Office Publisher MUI (English) 2007
      Microsoft Office Shared MUI (English) 2007
      Microsoft Office Shared Setup Metadata MUI (English) 2007
      Microsoft Office Suite Activation Assistant
      Microsoft Office Word MUI (English) 2007
      Microsoft Search Enhancement Pack
      Microsoft Silverlight
      Microsoft SQL Server 2005 Compact Edition [ENU]
      Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
      Microsoft Visual C++ 2005 Redistributable
      Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
      Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
      Microsoft XML Parser
      Mozilla Firefox (3.5.2)
      MSVCRT
      MSXML 4.0 SP2 (KB941833)
      MSXML 4.0 SP2 (KB954430)
      MSXML 4.0 SP2 (KB973688)
      OGA Notifier 2.0.0048.0
      OpenOffice.org 3.3
      Picasa 2
      QuickBooks Financial Center
      QuickTime
      Realtek 8169 8168 8101E 8102E Ethernet Driver
      Realtek High Definition Audio Driver
      RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
      Security Update for 2007 Microsoft Office System (KB2288621)
      Security Update for 2007 Microsoft Office System (KB2288931)
      Security Update for 2007 Microsoft Office System (KB2345043)
      Security Update for 2007 Microsoft Office System (KB2553074)
      Security Update for 2007 Microsoft Office System (KB2553089)
      Security Update for 2007 Microsoft Office System (KB2553090)
      Security Update for 2007 Microsoft Office System (KB2584063)
      Security Update for 2007 Microsoft Office System (KB969559)
      Security Update for 2007 Microsoft Office System (KB976321)
      Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
      Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
      Security Update for Microsoft Office Access 2007 (KB979440)
      Security Update for Microsoft Office Excel 2007 (KB2553073)
      Security Update for Microsoft Office InfoPath 2007 (KB979441)
      Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
      Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
      Security Update for Microsoft Office Publisher 2007 (KB2284697)
      Security Update for Microsoft Office system 2007 (972581)
      Security Update for Microsoft Office system 2007 (KB974234)
      Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
      Security Update for Microsoft Office Word 2007 (KB2344993)
      Security Update for Windows Media Encoder (KB2447961)
      Security Update for Windows Media Encoder (KB954156)
      Security Update for Windows Media Encoder (KB979332)
      Segoe UI
      SUPERAntiSpyware
      Synaptics Pointing Device Driver
      TOSHIBA Application Disc Creator
      TOSHIBA Assist
      TOSHIBA ConfigFree
      TOSHIBA Desktop Links
      TOSHIBA Disc Creator
      TOSHIBA DVD PLAYER
      TOSHIBA Extended Tiles for Windows Mobility Center
      TOSHIBA Face Recognition
      TOSHIBA Hardware Setup
      TOSHIBA PowerCinema Helper
      Toshiba Registration
      TOSHIBA SD Memory Utilities
      TOSHIBA Service Station
      TOSHIBA Software Modem
      TOSHIBA Speech System Applications
      TOSHIBA Speech System SR Engine(U.S.) Version1.0
      TOSHIBA Speech System TTS Engine(U.S.) Version1.0
      TOSHIBA Supervisor Password
      TOSHIBA Value Added Package
      Update for 2007 Microsoft Office System (KB967642)
      Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
      Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
      Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
      Update for Microsoft Office 2007 Help for Common Features (KB963673)
      Update for Microsoft Office 2007 System (KB2539530)
      Update for Microsoft Office Access 2007 Help (KB963663)
      Update for Microsoft Office Excel 2007 Help (KB963678)
      Update for Microsoft Office OneNote 2007 (KB980729)
      Update for Microsoft Office OneNote 2007 Help (KB963670)
      Update for Microsoft Office Outlook 2007 (KB2583910)
      Update for Microsoft Office Outlook 2007 Help (KB963677)
      Update for Microsoft Office Powerpoint 2007 Help (KB963669)
      Update for Microsoft Office Publisher 2007 Help (KB963667)
      Update for Microsoft Office Script Editor Help (KB963671)
      Update for Microsoft Office Word 2007 Help (KB963665)
      Update for Outlook 2007 Junk Email Filter (KB2596560)
      WildTangent Games
      Windows Live Communications Platform
      Windows Live Essentials
      Windows Live Family Safety
      Windows Live ID Sign-in Assistant
      Windows Live Installer
      Windows Live Mail
      Windows Live Messenger
      Windows Live MIME IFilter
      Windows Live Movie Maker
      Windows Live Photo Common
      Windows Live Photo Gallery
      Windows Live PIMT Platform
      Windows Live SOXE
      Windows Live SOXE Definitions
      Windows Live Sync
      Windows Live UX Platform
      Windows Live UX Platform Language Pack
      Windows Live Writer
      Windows Live Writer Resources
      Windows Media Encoder 9 Series
      .
      ==== Event Viewer Messages From Past Week ========
      .
      11/17/2011 3:55:37 AM, Error: Service Control Manager [7031]  - The McAfee McShield service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
      11/17/2011 3:46:30 AM, Error: Service Control Manager [7031]  - The McAfee McShield service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
      11/17/2011 2:33:10 PM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.2.107 for the Network Card with network address 00216B2EFC58 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
      11/17/2011 10:23:00 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}
      11/17/2011 10:18:50 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
      11/17/2011 10:18:03 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
      11/17/2011 10:18:03 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
      11/17/2011 10:15:05 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  spldr Wanarpv6
      11/17/2011 10:15:05 AM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
      11/17/2011 10:15:05 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000]  - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
      11/17/2011 10:15:02 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
      11/17/2011 10:14:58 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
      11/17/2011 10:14:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
      11/17/2011 10:14:49 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
      11/17/2011 10:13:07 AM, Error: Microsoft-Windows-Dhcp-Client [1001]  - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00216B2EFC58.  The following error occurred:  The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
      11/17/2011 10:13:03 AM, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 192.168.2.114 for the Network Card with network address 00216B2EFC58 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
      11/16/2011 7:46:57 PM, Error: EventLog [6008]  - The previous system shutdown at 7:43:27 PM on 11/16/2011 was unexpected.
      11/16/2011 7:46:25 PM, Error: volsnap [27]  - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
      11/16/2011 7:46:15 PM, Error: volsnap [25]  - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
      11/16/2011 7:15:43 PM, Error: Microsoft-Windows-Windows Defender [1008]  - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon&threatid=100185     Scan ID: {6938002C-FD12-435E-9D90-3BD3DA5DAB71}      Scan Type: AntiMalware     User: Charlene-PC\Charlene     Name: Trojan:Win32/Alureon     ID: 100185     Severity ID: 5     Category ID: 8     Path:      Action: Remove     Error Code: 0x80508025     Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
      11/16/2011 5:46:12 PM, Error: Service Control Manager [7034]  - The Ulead Burning Helper service terminated unexpectedly.  It has done this 1 time(s).
      11/16/2011 5:42:28 PM, Error: Microsoft-Windows-Windows Defender [3006]  - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon.FJ&threatid=165678     Scan ID: {F7FD73F9-7E4B-4C21-90EA-4C7248E877D3}     User: Charlene-PC\Charlene     Name: Trojan:Win32/Alureon.FJ     ID: 165678     Severity ID: 5     Category ID: 8     Path:      Alert Type: Spyware or other potentially unwanted software     Action: Quarantine     Error Code: 0x80508025     Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
      11/16/2011 4:08:11 PM, Error: Microsoft-Windows-Windows Defender [3006]  - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon.FJ&threatid=165678     Scan ID: {5063E01A-16DE-441F-9881-4DE094E837F4}     User: Charlene-PC\Charlene     Name: Trojan:Win32/Alureon.FJ     ID: 165678     Severity ID: 5     Category ID: 8     Path:      Alert Type: Spyware or other potentially unwanted software     Action: Quarantine     Error Code: 0x80508025     Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
      11/16/2011 4:01:13 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
      11/16/2011 4:01:13 PM, Error: Service Control Manager [7000]  - The Windows Search service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
      11/16/2011 3:43:43 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
      11/16/2011 3:31:54 PM, Error: Microsoft-Windows-Windows Defender [3006]  - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.  For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Alureon.FJ&threatid=165678     Scan ID: {4BB4B769-734D-468B-9F7A-36A42D7B374D}     User: Charlene-PC\Charlene     Name: Trojan:Win32/Alureon.FJ     ID: 165678     Severity ID: 5     Category ID: 8     Path:      Alert Type: Spyware or other potentially unwanted software     Action: Quarantine     Error Code: 0x80508025     Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
      .
      ==== End Of File ===========================

      SuperDave

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Thanked: 995
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Virus Keeps Coming Back
      « Reply #3 on: November 22, 2011, 01:10:11 PM »
      Update Your Java (JRE)

      Old versions of Java have vulnerabilities that malware can use to infect your system.


      First Verify your Java Version

      If there are any other version(s) installed then update now.

      Get the new version (if needed)

      If your version is out of date install the newest version of the Sun Java Runtime Environment.

      Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

      Be sure to close ALL open web browsers before starting the installation.

      Remove any old versions

      1. Download JavaRa and unzip the file to your Desktop.
      2. Open JavaRA.exe and choose Remove Older Versions
      3. Once complete exit JavaRA.

      Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
      ******************************************************
      Download OTL to your desktop.

      * Open OTL
      * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

      Code: [Select]
      :OTL

      TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
      TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
      TB: {54BA686E-738F-42FE-BADD-D8CB7CFBC07E} - No File

      :COMMANDS
      [resethosts]
      [purity]
      [start explorer]

      * Click Run Fix
      * OTLI2 may ask to reboot the machine. Please do so if asked.
      * Click OK
      * A report will open. Copy and Paste that report in your next reply.
      **************************************************************
      Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

      link # 1
      Link # 2
      If you are using Firefox, make sure that your download settings are as follows:

      * Tools->Options->Main tab
      * Set to "Always ask me where to Save the files".

      Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

      Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      Right-click combofix.exe and select Run as Administrator and follow the prompts.
      When finished, ComboFix will produce a log for you.
      Post the ComboFix login your next reply.

      NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

      Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

      jjcoolbud

        Topic Starter


        Rookie

        Re: Virus Keeps Coming Back
        « Reply #4 on: November 28, 2011, 12:29:13 PM »
        SD,

        I was not able to update my Java because I keep losing connection to the internet and I think it has something to do with the virus.  Once this is fixed that is the first thing I will do, is update Java.

        I did however complete the OTL and Combofix steps.  Here are the logs:


        ========== OTL ==========
        ========== COMMANDS ==========
        C:\Windows\System32\drivers\etc\Hosts moved successfully.
        HOSTS file reset successfully
         
        OTL by OldTimer - Version 3.2.31.0 log created on 11282011_141031



        ComboFix 11-11-28.02 - Charlene 11/28/2011  14:16:41.1.2 - x86
        Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2939.1743 [GMT -5:00]
        Running from: c:\users\Charlene\Desktop\ComboFix.exe
        AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
        FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
        SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
        SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
         * Created a new restore point
        .
        .
        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        c:\program files\Retrogamer_2zEI
        c:\programdata\Roaming
        c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
        c:\users\Charlene\AppData\Local\{D4B45FB1-C066-4325-8549-EBA459CFC920}
        c:\users\Charlene\AppData\Local\{D4B45FB1-C066-4325-8549-EBA459CFC920}\chrome.manifest
        c:\users\Charlene\AppData\Local\{D4B45FB1-C066-4325-8549-EBA459CFC920}\chrome\content\overlay.xul
        c:\users\Charlene\AppData\Local\{D4B45FB1-C066-4325-8549-EBA459CFC920}\install.rdf
        c:\users\Charlene\AppData\Roaming\98D8.D03
        c:\users\Charlene\AppData\Roaming\Adobe\plugs
        c:\users\Charlene\AppData\Roaming\Adobe\shed
        .
        .
        (((((((((((((((((((((((((   Files Created from 2011-10-28 to 2011-11-28  )))))))))))))))))))))))))))))))
        .
        .
        2011-11-28 19:23 . 2011-11-28 19:23   --------   d-----w-   c:\users\Default\AppData\Local\temp
        2011-11-28 19:10 . 2011-11-28 19:10   --------   d-----w-   C:\_OTL
        2011-11-23 16:35 . 2011-11-23 16:35   56200   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{518345A7-5913-44EC-AA93-CBA0782B8EB7}\offreg.dll
        2011-11-22 00:40 . 2011-10-18 06:28   6668624   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{518345A7-5913-44EC-AA93-CBA0782B8EB7}\mpengine.dll
        2011-11-22 00:26 . 2011-11-22 00:26   --------   d-----w-   c:\users\Charlene\AppData\Roaming\SUPERAntiSpyware.com
        2011-11-22 00:25 . 2011-11-22 00:26   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2011-11-22 00:25 . 2011-11-22 00:25   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
        2011-11-17 19:35 . 2011-11-17 19:35   388096   ----a-r-   c:\users\Charlene\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
        2011-11-17 00:36 . 2011-07-29 16:01   293376   ----a-w-   c:\windows\system32\psisdecd.dll
        2011-11-17 00:36 . 2011-07-29 16:01   217088   ----a-w-   c:\windows\system32\psisrndr.ax
        2011-11-17 00:36 . 2011-07-29 16:00   69632   ----a-w-   c:\windows\system32\Mpeg2Data.ax
        2011-11-17 00:36 . 2011-07-29 16:00   57856   ----a-w-   c:\windows\system32\MSDvbNP.ax
        2011-11-17 00:36 . 2011-09-06 13:30   2043392   ----a-w-   c:\windows\system32\win32k.sys
        2011-11-17 00:36 . 2011-10-17 11:41   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
        2011-11-17 00:36 . 2011-09-20 21:02   905088   ----a-w-   c:\windows\system32\drivers\tcpip.sys
        2011-11-17 00:36 . 2011-08-25 16:15   555520   ----a-w-   c:\windows\system32\UIAutomationCore.dll
        2011-11-17 00:36 . 2011-08-25 16:14   238080   ----a-w-   c:\windows\system32\oleacc.dll
        2011-11-17 00:36 . 2011-08-25 16:14   563712   ----a-w-   c:\windows\system32\oleaut32.dll
        2011-11-17 00:36 . 2011-08-25 13:31   4096   ----a-w-   c:\windows\system32\oleaccrc.dll
        2011-11-17 00:35 . 2011-09-30 15:57   707584   ----a-w-   c:\program files\Common Files\System\wab32.dll
        2011-11-17 00:34 . 2011-10-18 19:29   28760   ----a-w-   c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
        .
        .
        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2011-10-15 18:16 . 2011-03-27 23:56   9608   ----a-w-   c:\windows\system32\drivers\mfeclnk.sys
        2011-10-15 18:16 . 2011-03-27 23:56   87656   ----a-w-   c:\windows\system32\drivers\mferkdet.sys
        2011-10-15 18:16 . 2011-03-27 23:56   64880   ----a-w-   c:\windows\system32\drivers\mfenlfk.sys
        2011-10-15 18:16 . 2011-03-27 23:56   59456   ----a-w-   c:\windows\system32\drivers\mfebopk.sys
        2011-10-15 18:16 . 2011-03-27 23:56   338176   ----a-w-   c:\windows\system32\drivers\mfefirek.sys
        2011-10-15 18:16 . 2011-03-27 23:56   180816   ----a-w-   c:\windows\system32\drivers\mfeavfk.sys
        2011-10-15 18:16 . 2011-03-27 23:56   165680   ----a-w-   c:\windows\system32\drivers\mfewfpk.sys
        2011-10-15 18:16 . 2011-03-27 23:56   57600   ----a-w-   c:\windows\system32\drivers\cfwids.sys
        2011-10-15 18:16 . 2010-06-01 01:32   464176   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
        2011-10-15 18:16 . 2010-06-01 01:32   121256   ----a-w-   c:\windows\system32\drivers\mfeapfk.sys
        2011-08-31 22:00 . 2011-04-15 00:48   22216   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2011-04-16 18:26 . 2011-04-25 02:56   702464   ----a-w-   c:\program files\Uninstall Retrogamer.dll
        2011-04-14 18:01 . 2011-07-28 14:40   24376   ----a-w-   c:\program files\mozilla firefox\components\Scriptff.dll
        .
        .
        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4
        .
        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
        "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
        "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
        "HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
        "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
        "ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
        "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
        "NDSTray.exe"="NDSTray.exe" [BU]
        "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
        "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
        "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
        .
        c:\users\Charlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
        OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "EnableUIADesktopToggle"= 0 (0x0)
        .
        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
        @=""
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
        @=""
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
        @=""
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
        2011-04-25 22:23   136176   ----atw-   c:\users\Charlene\AppData\Local\Google\Update\GoogleUpdate.exe
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
        2010-11-29 21:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
        2008-04-08 23:14   6037504   ----a-w-   c:\windows\RtHDVCpl.exe
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
        2007-11-21 02:15   1826816   ----a-w-   c:\windows\SkyTel.exe
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
        2008-01-21 02:25   202240   ----a-w-   c:\program files\Windows Media Player\wmpnscfg.exe
        .
        R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
        R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-03 135664]
        R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-03 135664]
        R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
        R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
        R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [2011-02-24 10112]
        R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
        R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
        R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
        R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
        S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
        S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
        S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
        S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
        S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
        S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-07-11 40960]
        S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
        S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
        S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
        S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
        S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 150856]
        S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-01 62776]
        S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
        S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
        S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
        S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
        S3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
        S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]
        .
        .
        --- Other Services/Drivers In Memory ---
        .
        *Deregistered* - mfeavfk01
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
        LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
        .
        Contents of the 'Scheduled Tasks' folder
        .
        2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-03 00:31]
        .
        2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2010-12-03 00:31]
        .
        2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3905119876-3863143060-3799346955-1000Core.job
        - c:\users\Charlene\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-03 22:23]
        .
        2011-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3905119876-3863143060-3799346955-1000UA.job
        - c:\users\Charlene\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-03 22:23]
        .
        2011-03-27 c:\windows\Tasks\User_Feed_Synchronization-{4D4E1E62-591C-4B88-AC5A-9E8241DC2612}.job
        - c:\windows\system32\msfeedssync.exe [2011-07-25 00:54]
        .
        .
        ------- Supplementary Scan -------
        .
        uStart Page = hxxp://www.google.com/
        mStart Page = hxxp://www.toshibadirect.com/dpdstart
        uInternet Settings,ProxyOverride = *.local;<local>
        uInternet Settings,ProxyServer = http=127.0.0.1:50384
        IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
        TCP: DhcpNameServer = 192.168.1.254 192.168.2.1
        DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
        FF - ProfilePath - c:\users\Charlene\AppData\Roaming\Mozilla\Firefox\Profiles\dofjlxqi.default\
        FF - prefs.js: browser.search.selectedEngine - Secure Search
        FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
        FF - prefs.js: network.proxy.http - 127.0.0.1
        FF - prefs.js: network.proxy.http_port - 50384
        FF - prefs.js: network.proxy.type - 1
        FF - Ext: GameTap: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
        FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
        FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
        FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
        FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
        .
        - - - - ORPHANS REMOVED - - - -
        .
        Toolbar-Locked - (no file)
        MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
        MSConfigStartUp-Retrogamer_2z Browser Plugin Loader - c:\progra~1\RETROG~2\bar\2.bin\2zbrmon.exe
        MSConfigStartUp-Security Protection - c:\users\Charlene\AppData\Roaming\defender.exe
        MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
        .
        .
        .
        **************************************************************************
        .
        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2011-11-28 14:23
        Windows 6.0.6002 Service Pack 2 NTFS
        .
        scanning hidden processes ... 
        .
        scanning hidden autostart entries ...
        .
        scanning hidden files ... 
        .
        scan completed successfully
        hidden files: 0
        .
        **************************************************************************
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a5b22700]
        "imagepath"="\??\c:\windows\TEMP\6884.tmp"
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000
        "MSCurrentCountry"=dword:000000b5
        .
        Completion time: 2011-11-28  14:25:49
        ComboFix-quarantined-files.txt  2011-11-28 19:25
        .
        Pre-Run: 273,040,953,344 bytes free
        Post-Run: 272,400,445,440 bytes free
        .
        - - End Of File - - 915E02D640829C99AC2C1632E93894E3


        jjcoolbud

          Topic Starter


          Rookie

          Re: Virus Keeps Coming Back
          « Reply #5 on: November 28, 2011, 12:38:31 PM »
          I was able to update to the most recent Java and remove old versions after I re-booted after OTL and ComboFix.  Let me know whats next.  please see the OTL and ComboFix in the post prior to this one.

          SuperDave

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Thanked: 995
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: Virus Keeps Coming Back
          « Reply #6 on: November 28, 2011, 01:31:24 PM »
          SysProt Antirootkit

          Download
          SysProt Antirootkit from the link below (you will find it at the bottom
          of the page under attachments, or you can get it from one of the
          mirrors).

          http://sites.google.com/site/sysprotantirootkit/

          Unzip it into a folder on your desktop.
          • Double click Sysprot.exe to start the program.
          • Click on the Log tab.
          • In the Write to log box select the following items.
            • Process << Selected
            • Kernel Modules << Selected
            • SSDT << Selected
            • Kernel Hooks << Selected
            • IRP Hooks << NOT Selected
            • Ports << NOT Selected
            • Hidden Files << Selected
          • At the bottom of the page
            • Hidden Objects Only << Selected
          • Click on the Create Log button on the bottom right.
          • After a few seconds a new window should appear.
          • Select Scan Root Drive. Click on the Start button.
          • When it is complete a new window will appear to indicate that the scan is finished.
          • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
          Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

          jjcoolbud

            Topic Starter


            Rookie

            Re: Virus Keeps Coming Back
            « Reply #7 on: November 28, 2011, 04:29:32 PM »
            Here is the sysprot log

            SysProt AntiRootkit v1.0.1.0
            by swatkat

            ******************************************************************************************
            ******************************************************************************************

            No Hidden Processes found

            ******************************************************************************************
            ******************************************************************************************
            Kernel Modules:
            Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
            Service Name: ---
            Module Base: 9108B000
            Module End: 91165000
            Hidden: Yes

            ******************************************************************************************
            ******************************************************************************************
            No SSDT Hooks found

            ******************************************************************************************
            ******************************************************************************************
            Kernel Hooks:
            Hooked Function: ZwYieldExecution
            At Address: 82A5F982
            Jump To: 8A794488
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwUnmapViewOfSection
            At Address: 82C44B5D
            Jump To: 8A7944B2
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwTerminateProcess
            At Address: 82C25143
            Jump To: 8A7944C6
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            Hooked Function: ZwMapViewOfSection
            At Address: 82C4489A
            Jump To: 8A79449C
            Module Name: C:\Windows\system32\drivers\mfehidk.sys

            ******************************************************************************************
            ******************************************************************************************
            Hidden files/folders:
            Object: C:\Qoobox\BackEnv\AppData.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Cache.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Cookies.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Desktop.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Favorites.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\History.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Music.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\NetHood.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Personal.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Pictures.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Programs.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Recent.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SendTo.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SetPath.bat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\StartUp.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\SysPath.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\Templates.folder.dat
            Status: Access denied

            Object: C:\Qoobox\BackEnv\VikPev00
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
            Status: Access denied

            Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl
            Status: Access denied


            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 995
            • Certifications: List
            • Experience: Expert
            • OS: Windows 8
            Re: Virus Keeps Coming Back
            « Reply #8 on: November 28, 2011, 04:44:48 PM »
            I'd like to scan your machine with ESET OnlineScan

            •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
            ESET OnlineScan
            •Click the button.
            •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
            • Click on to download the ESET Smart Installer. Save it to your desktop.
            • Double click on the icon on your desktop.
            •Check
            •Click the button.
            •Accept any security warnings from your browser.
            •Check
            •Push the Start button.
            •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
            •When the scan completes, push
            •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
            •Push the button.
            •Push
            A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

            jjcoolbud

              Topic Starter


              Rookie

              Re: Virus Keeps Coming Back
              « Reply #9 on: November 29, 2011, 06:53:56 AM »
              Here are the ESET log files.  Who knew there was so many viruses on this laptop. . .


              [email protected] as downloader log:
              all ok
              # version=7
              # OnlineScannerApp.exe=1.0.0.1
              # OnlineScanner.ocx=1.0.0.6583
              # api_version=3.0.2
              # EOSSerial=6851fb5562c57044b97ce02dc28a6d96
              # end=finished
              # remove_checked=true
              # archives_checked=true
              # unwanted_checked=true
              # unsafe_checked=false
              # antistealth_checked=true
              # utc_time=2011-11-29 01:52:30
              # local_time=2011-11-28 08:52:30 (-0500, Eastern Standard Time)
              # country="United States"
              # lang=1033
              # osver=6.0.6002 NT Service Pack 2
              # compatibility_mode=512 16777215 100 0 17903827 17903827 0 0
              # compatibility_mode=5121 16777213 100 75 62236 22909443 0 0
              # compatibility_mode=5892 16776573 100 100 0 159133509 0 0
              # compatibility_mode=8192 67108863 100 0 0 0 0 0
              # scanned=179993
              # found=2
              # cleaned=2
              # scan_time=5569
              C:\Users\Charlene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\6468271f-4fa83299   a variant of Java/TrojanDownloader.OpenStream.NCM trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C
              C:\Users\Charlene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\623f9ce2-43ec8cab   a variant of Java/Agent.DT trojan (cleaned by deleting - quarantined)   00000000000000000000000000000000   C




              C:\Users\Charlene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\6468271f-4fa83299   a variant of Java/TrojanDownloader.OpenStream.NCM trojan   cleaned by deleting - quarantined
              C:\Users\Charlene\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\623f9ce2-43ec8cab   a variant of Java/Agent.DT trojan   cleaned by deleting - quarantined

              SuperDave

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Thanked: 995
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: Virus Keeps Coming Back
              « Reply #10 on: November 29, 2011, 04:39:59 PM »
              That looks good. If there are no other issues, we can do some cleanup.

              To uninstall ComboFix

              • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
              • In the field, type in ComboFix /uninstall


              (Note: Make sure there's a space between the word ComboFix and the forward-slash.)

              • Then, press Enter, or click OK.
              • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
              ***************************************************
              To remove all of the tools we used and the files and folders they created do the following:
              Double click OTL.exe.
              • Click the CleanUp button.
              • Select Yes when the "Begin cleanup Process?" prompt appears.
              • If you are prompted to Reboot during the cleanup, select Yes.
              • The tool will delete itself once it finishes.
              Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
              ***************************************************
              Clean out your temporary internet files and temp files.

              Download TFC by OldTimer to your desktop.

              Double-click TFC.exe to run it.

              Note: If you are running on Vista, right-click on the file and choose Run As Administrator

              TFC will close all programs when run, so make sure you have saved all your work before you begin.

              * Click the Start button to begin the cleaning process.
              * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
              * Please let TFC run uninterrupted until it is finished.

              Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
              *****************************************************
              Go to Microsoft Windows Update and get all critical updates.

              ----------

              I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

              SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
              * Using SpywareBlaster to protect your computer from Spyware and Malware
              * If you don't know what ActiveX controls are, see here

              Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

              Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

              Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
              Safe Surfing!
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender

              jjcoolbud

                Topic Starter


                Rookie

                Re: Virus Keeps Coming Back
                « Reply #11 on: November 29, 2011, 05:42:28 PM »
                Super Dave,

                First of all thank you a million times for your patience and persistence in getting this laptop clean.  Without you I would have probably re-installed the OS but I hear that doesnt get rid of viruses. . . .

                Anyway, when I try to uninstall ComboFix it tells me windows cannot find ComboFix.  If thats not an issue then i am good with it. 

                Now let me make sure I understand what protection program I should have based on what we have done so far and what you are telling me in the last post:

                1.  McAfee Security Center
                2.  Malware Bytes
                3.  Windows Defender
                4.  Super Anti-Spyware
                5.  WOT
                6.  Spyware Blaster
                7.  Spybot Search and Destroy

                Is this correct?  Should I have all 7 of these programs and run them on a weekly basis??



                SuperDave

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Thanked: 995
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: Virus Keeps Coming Back
                « Reply #12 on: November 30, 2011, 12:25:13 PM »
                Quote
                but I hear that doesnt get rid of viruses
                It does if you do a complete re-format.
                Quote
                Anyway, when I try to uninstall ComboFix it tells me windows cannot find ComboFix.  If thats not an issue then i am good with it. 

                Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
                You may have a problem deleting one of the folders. In that case, just empty the folder of whatever files you can and leave it.

                Quote
                Now let me make sure I understand what protection program I should have based on what we have done so far and what you are telling me in the last post:
                McAfee Security Center is your AV as well as Anti-spyware. Keep this updated.

                Malware Bytes and Super Anti-Spyware are not full-time scanners unless you have purchased the programs. You can update them and run them on a regular basis.

                WOT is your protection when browsing. It will warn you about dangerous sites.

                Spyware Blaster is another anti-spyware and anti-malware program.

                Spybot Search and Destroy is another anti-spyware and anti-malware program. You probably really don't need all these anti-spyware and anti-malware programs.

                Quote
                First of all thank you a million times for your patience and persistence in getting this laptop clean
                You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender