[mlpjd]

My yahoo account has recently been sending spam messages to the folks in my address book. I know this because (1) I am getting the bounced messages from addresses that aren't good anymore and (2) the sent messages are in my sent folder. I have run a McAfee scan and it didn't find anything. I haven't done anything else (like erasing my address book, changing my password, or closing the account), because I wanted to get advice from you all first. Posted below is the results from my OTL scan. Please help! Thanks!

Mary

OTL logfile created on: 10/18/2011 2:08:49 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\smpareja\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16982)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 38.83% Memory free
4.19 Gb Paging File | 1.85 Gb Available in Paging File | 44.10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 147.58 Gb Total Space | 47.49 Gb Free Space | 32.18% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: smpareja | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/18 14:03:39 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\smpareja\Desktop\OTL.exe
PRC - [2011/10/18 09:56:26 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11c_ActiveX.exe
PRC - [2011/10/06 16:41:16 | 000,166,024 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/09/16 18:38:10 | 001,318,552 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/08/19 15:59:30 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/08/19 15:55:34 | 000,160,344 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/02/21 20:35:55 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/08/24 05:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2010/04/08 02:31:44 | 000,319,488 | ---- | M] (SlipStream Data Inc.) -- C:\Program Files\WebRunner Accelerator\wrcore.exe
PRC - [2010/04/08 02:31:44 | 000,204,800 | ---- | M] (SlipStream Data Inc.) -- C:\Program Files\WebRunner Accelerator\wrgui.exe
PRC - [2009/11/13 20:29:42 | 009,117,504 | ---- | M] (Western Digital) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
PRC - [2009/11/13 20:29:40 | 002,057,536 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
PRC - [2009/11/13 20:28:04 | 000,110,592 | ---- | M] (WDC) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
PRC - [2009/08/27 17:52:10 | 000,245,760 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Systray\SystrayApp.exe
PRC - [2009/08/27 17:51:54 | 001,110,016 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Phonetools\TextMessaging.exe
PRC - [2009/08/27 17:49:58 | 000,725,744 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Launcher\Launcher.exe
PRC - [2009/08/27 17:49:16 | 000,094,208 | ---- | M] (France Telecom SA) -- C:\Program Files\Common Files\France Telecom\Shared Modules\FTCOMModule\0\FTCOMModule.exe
PRC - [2009/08/27 17:49:16 | 000,077,824 | ---- | M] (France Telecom SA) -- C:\Program Files\Common Files\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
PRC - [2009/08/27 17:48:32 | 001,368,064 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Deskboard\Deskboard.exe
PRC - [2009/08/27 17:47:20 | 000,540,672 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Connectivity\Corecom\CoreCom.exe
PRC - [2009/08/27 17:46:48 | 001,007,616 | ---- | M] (France Telecom SA) -- C:\Program Files\Orange\Internet Everywhere\Connectivity\ConnectivityManager.exe
PRC - [2009/08/27 17:46:46 | 000,094,208 | ---- | M] (France Telecom SA) -- C:\Program Files\Common Files\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
PRC - [2009/08/27 11:46:50 | 000,282,624 | R--- | M] (France Telecom SA) -- C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe
PRC - [2009/06/16 17:58:08 | 000,020,480 | ---- | M] (Memeo) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
PRC - [2008/11/13 18:33:46 | 000,333,088 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
PRC - [2006/11/29 06:05:38 | 000,523,952 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2006/11/23 03:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/11/23 03:08:12 | 000,409,264 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2006/11/20 22:15:14 | 000,446,128 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2006/11/15 08:02:36 | 001,372,160 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2006/11/15 07:19:42 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2006/11/15 06:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/11 00:22:26 | 000,417,792 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2006/11/06 21:36:30 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2006/11/06 21:19:12 | 000,054,288 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\psqltray.exe
PRC - [2006/11/01 08:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/10/31 05:44:40 | 000,094,208 | ---- | M] (TOSHIBA Inc.) -- C:\Program Files\Toshiba\Utilities\VolControl.exe
PRC - [2006/10/27 23:11:02 | 000,192,512 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2006/08/24 02:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/07/20 22:54:28 | 000,040,960 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2006/07/20 22:45:00 | 000,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/05/26 04:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe


========== Modules (No Company Name) ==========

MOD - [2011/02/10 03:23:06 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\22e348e7fee20fcb2013d3dfe016ae8e\System.Management.ni.dll
MOD - [2011/02/10 03:21:37 | 001,712,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\bce81bf63e63ec436b4bc274c08f842d\Microsoft.VisualBasic.ni.dll
MOD - [2011/02/10 03:20:02 | 000,478,208 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\TCrdMain\3ccfbf99516a72b6a5fc93ef3fb542c2\TCrdMain.ni.exe
MOD - [2011/02/10 03:19:53 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ae77b2b91367f11d340cf3bf2428af59\System.ServiceProcess.ni.dll
MOD - [2011/02/10 03:19:46 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\23281812ddf7a1fab881b5322e577ac4\System.Runtime.Remoting.ni.dll
MOD - [2011/02/10 03:19:41 | 011,796,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\03858406f9a9514402888707e8b93abe\System.Web.ni.dll
MOD - [2011/02/10 03:19:23 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e6001d416f7c468334934a2c6a41c631\System.Configuration.ni.dll
MOD - [2011/02/10 03:16:35 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\7208ffa39630e9b923331f9df0947a12\System.Xml.ni.dll
MOD - [2011/02/10 03:16:12 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1941d7639299344ae28fb6b23da65247\System.Windows.Forms.ni.dll
MOD - [2011/02/10 03:15:59 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6312464f64727a2a50d5ce3fd73ad1bb\System.Drawing.ni.dll
MOD - [2011/02/10 03:15:46 | 006,616,576 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\813556b5a2722045b0ea14467fd00227\System.Data.ni.dll
MOD - [2011/02/10 03:15:36 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a122c56b60812fb5cbc2e941d4875a87\PresentationFramework.Aero.ni.dll
MOD - [2011/02/10 03:15:35 | 014,327,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\29eb51a21ce62ed759b162307bd65e32\PresentationFramework.ni.dll
MOD - [2011/02/10 03:15:12 | 012,216,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\dc8dccca85718096c895b74094e09e5a\PresentationCore.ni.dll
MOD - [2011/02/10 03:14:55 | 003,313,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\c049bc39cb33f7459936a689484285d6\WindowsBase.ni.dll
MOD - [2011/02/10 03:14:50 | 007,868,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\52e1ea3c7491e05cda766d7b3ce3d559\System.ni.dll
MOD - [2011/02/10 03:14:40 | 011,486,720 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\17f572b09facdc5fda9431558eb7a26e\mscorlib.ni.dll
MOD - [2011/01/29 20:02:31 | 002,933,248 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/12/14 21:06:12 | 000,034,816 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\gzlib.dll
MOD - [2009/08/27 21:49:40 | 000,028,672 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Systray\IHMSystray.dll
MOD - [2009/08/27 21:49:22 | 000,011,776 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Phonetools\IHMTextMessaging.dll
MOD - [2009/08/27 21:45:50 | 000,009,216 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Deskboard\IHMPluginSrvSettings.dll
MOD - [2009/08/27 21:45:20 | 000,018,944 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Deskboard\IHMDeskboard.dll
MOD - [2009/08/27 17:50:50 | 000,708,608 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Launcher\Plugins\PluginLnhPromptManager2.dll
MOD - [2009/08/27 17:49:58 | 000,040,960 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Launcher\WatchClient.dll
MOD - [2009/08/20 00:49:08 | 000,049,152 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\Memeo.API.dll
MOD - [2009/07/30 00:24:14 | 000,504,293 | ---- | M] () -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\sqlite3.dll
MOD - [2009/05/04 16:46:40 | 000,294,912 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Launcher\Sqlite3.dll
MOD - [2009/05/04 16:46:40 | 000,294,912 | ---- | M] () -- C:\Program Files\Orange\Internet Everywhere\Connectivity\Sqlite3.dll
MOD - [2006/12/11 06:51:08 | 000,077,824 | R--- | M] () -- C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll
MOD - [2006/12/11 06:51:08 | 000,065,536 | R--- | M] () -- C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll
MOD - [2006/11/10 04:27:06 | 000,090,112 | ---- | M] () -- C:\Program Files\Toshiba\FlashCards\TWarnMsg\TWarnMsg.dll
MOD - [2006/11/09 04:08:30 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\PCDiag\NotifyPCD.dll
MOD - [2006/11/09 04:01:52 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\TBS\NotifyTBS.dll
MOD - [2006/10/20 23:49:22 | 000,009,216 | ---- | M] () -- C:\Program Files\Toshiba\ConfigFree\NotifyCFF.dll
MOD - [2006/10/10 20:44:16 | 000,009,728 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Assist\NotifyX.dll
MOD - [2006/10/07 21:57:04 | 000,053,248 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Disc Creator\NotifyTDC.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/10/06 16:41:16 | 000,166,024 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/08/19 15:59:30 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/08/19 15:55:34 | 000,160,344 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/06/23 23:22:58 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/01 01:32:41 | 000,265,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/28 02:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/08/24 05:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/11/13 20:28:04 | 000,110,592 | ---- | M] (WDC) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/08/27 17:49:16 | 000,077,824 | ---- | M] (France Telecom SA) [Auto | Running] -- C:\Program Files\Common Files\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe -- (FTRTSVC)
SRV - [2009/06/16 17:58:08 | 000,020,480 | ---- | M] (Memeo) [Auto | Running] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe -- (WDSmartWareBackgroundService)
SRV - [2006/11/23 03:45:28 | 000,425,648 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/15 06:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/11/01 08:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/08/24 02:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/07/20 22:54:28 | 000,040,960 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2006/05/26 04:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - [2011/08/15 10:00:06 | 000,461,864 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/08/15 10:00:06 | 000,338,040 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/08/15 10:00:06 | 000,180,072 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/08/15 10:00:06 | 000,119,808 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/08/15 10:00:06 | 000,089,624 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/08/15 10:00:06 | 000,087,808 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/08/15 10:00:06 | 000,064,712 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/08/15 10:00:06 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/08/15 10:00:06 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2009/06/23 13:00:30 | 000,103,040 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2009/06/23 13:00:30 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/02/13 20:02:52 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2006/11/21 04:14:28 | 000,033,792 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\qkbfiltr.sys -- (qkbfiltr)
DRV - [2006/11/17 23:08:36 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/11/02 09:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/10/30 19:42:28 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/10/24 02:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 21:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/12 19:18:14 | 000,007,680 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BoiHwSetup.sys -- (BoiHwsetup)
DRV - [2006/10/06 08:22:14 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/09/28 05:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/05 02:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/07/06 23:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/14 20:50:52 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2005/09/28 01:57:38 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2005/08/02 02:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lawschool.unm.edu/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost;localhost
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5400

FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2011/10/17 21:46:39 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111017190813.dll (McAfee, Inc.)
O2 - BHO: (NOW!Imaging) - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\WebRunner Accelerator\components\NOWImaging.dll (SlipStream Data Inc.)
O2 - BHO: (Prefetch) - {A66AA08A-9BF0-4e87-99E6-6972731D6B99} - C:\Program Files\WebRunner Accelerator\Prefetch.dll (SlipStream Data Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (WebRunner Accelerator) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\WebRunner Accelerator\Toolband.dll (SlipStream Data Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (WebRunner Accelerator) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\Program Files\WebRunner Accelerator\Toolband.dll (SlipStream Data Inc.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [CardDetectorHUAWEI1752_1552] C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe (France Telecom SA)
O4 - HKLM..\Run: [HSON] C:\Program Files\Toshiba\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [IEWINTERNET-SPSessionManager] C:\Program Files\Orange\Internet Everywhere\SessionManager\SessionManager.exe (France Telecom SA)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [PSQLLauncher] C:\Program Files\Protector Suite QL\launcher.exe (UPEK Inc.)
O4 - HKLM..\Run: [SlipStream] C:\Program Files\WebRunner Accelerator\wrcore.exe (SlipStream Data Inc.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TOSHIBA Volume Indicator] C:\Program Files\Toshiba\Utilities\VolControl.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Users\smpareja\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O8 - Extra context menu item: Show All Original Images - C:\Program Files\WebRunner Accelerator\gui_resource.dll (SlipStream Data Inc.)
O8 - Extra context menu item: Show Original Image - C:\Program Files\WebRunner Accelerator\gui_resource.dll (SlipStream Data Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\WebRunner Accelerator\sliplsp.dll (SlipStream Data Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\WebRunner Accelerator\sliplsp.dll (SlipStream Data Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{79AC74AC-5CA1-4C12-BCBA-DBC620503B77}: NameServer = 85.62.229.133 85.62.229.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FCE00225-F6A3-42B7-9AFF-64CDC15BEB8E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) -C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\psfus: DllName - (C:\Windows\system32\psqlpwd.dll) - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O24 - Desktop WallPaper: C:\Users\smpareja\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\smpareja\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4f62eefa-d7d3-11e0-9930-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{4f62eefa-d7d3-11e0-9930-806e6f6e6963}\Shell\AutoRun\command - "" = F:\MicroLauncher.exe
O33 - MountPoints2\{53b20a8d-d8b2-11e0-a03b-a297c57a5e0c}\Shell - "" = AutoRun
O33 - MountPoints2\{53b20a8d-d8b2-11e0-a03b-a297c57a5e0c}\Shell\AutoRun\command - "" = E:\MicroLauncher.exe
O33 - MountPoints2\{bb59f3c6-3e09-11e0-baf1-001636c20109}\Shell - "" = AutoRun
O33 - MountPoints2\{bb59f3c6-3e09-11e0-baf1-001636c20109}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{e5d9a059-9b81-11e0-b277-92485b0fc304}\Shell - "" = AutoRun
O33 - MountPoints2\{e5d9a059-9b81-11e0-b277-92485b0fc304}\Shell\AutoRun\command - "" = E:\KODAK_Software_Downloader.exe
O33 - MountPoints2\{e5d9a075-9b81-11e0-b277-f6036020ded4}\Shell - "" = AutoRun
O33 - MountPoints2\{e5d9a075-9b81-11e0-b277-f6036020ded4}\Shell\AutoRun\command - "" = E:\DPFMate.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/18 14:03:03 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\smpareja\Desktop\OTL.exe
[2011/10/17 18:46:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/10/04 10:41:58 | 000,000,000 | ---D | C] -- C:\Users\smpareja\Documents\ESL Classes
[2011/09/19 13:15:29 | 000,000,000 | ---D | C] -- C:\Windows\System32\x64

========== Files - Modified Within 30 Days ==========

[2011/10/18 14:03:39 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\smpareja\Desktop\OTL.exe
[2011/10/18 13:42:39 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/18 13:42:39 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/18 09:51:14 | 000,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/18 09:51:14 | 000,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/18 08:22:59 | 000,001,746 | ---- | M] () -- C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
[2011/10/17 21:42:32 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2011/10/17 21:42:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/17 21:42:16 | 2137,186,304 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/23 14:09:06 | 000,157,184 | ---- | M] () -- C:\Users\smpareja\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/21 18:30:08 | 000,086,374 | ---- | M] () -- C:\Users\smpareja\Documents\Math-SBA 4thCECILIA PAREJA - Schoolnet.pdf
[2011/09/21 18:29:11 | 000,086,106 | ---- | M] () -- C:\Users\smpareja\Documents\Writing-SBA_ 4th-CECILIA G PAREJA - Schoolnet.pdf
[2011/09/21 18:28:19 | 000,086,375 | ---- | M] () -- C:\Users\smpareja\Documents\Science-SBA 4th-CECILIA G PAREJA - Schoolnet.pdf
[2011/09/21 18:27:20 | 000,087,187 | ---- | M] () -- C:\Users\smpareja\Documents\Reading-SBA_4th- CECILIA G PAREJA - Schoolnet.pdf
[2011/09/19 13:52:51 | 177,211,398 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2011/09/21 18:30:08 | 000,086,374 | ---- | C] () -- C:\Users\smpareja\Documents\Math-SBA 4thCECILIA PAREJA - Schoolnet.pdf
[2011/09/21 18:28:59 | 000,086,106 | ---- | C] () -- C:\Users\smpareja\Documents\Writing-SBA_ 4th-CECILIA G PAREJA - Schoolnet.pdf
[2011/09/21 18:28:12 | 000,086,375 | ---- | C] () -- C:\Users\smpareja\Documents\Science-SBA 4th-CECILIA G PAREJA - Schoolnet.pdf
[2011/09/21 18:27:07 | 000,087,187 | ---- | C] () -- C:\Users\smpareja\Documents\Reading-SBA_4th- CECILIA G PAREJA - Schoolnet.pdf
[2011/02/22 00:20:04 | 000,003,654 | ---- | C] () -- C:\Windows\System32\drivers\Sonyhcp.dll
[2010/12/22 23:41:32 | 000,130,831 | ---- | C] () -- C:\Windows\hpoins18.dat
[2010/12/22 23:41:12 | 000,006,600 | ---- | C] () -- C:\Windows\hpomdl18.dat
[2010/12/21 20:14:57 | 000,000,120 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2010/12/13 22:40:42 | 000,157,184 | ---- | C] () -- C:\Users\smpareja\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2006/12/01 02:57:36 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2006/12/01 02:27:17 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2006/12/01 02:27:17 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2006/12/01 02:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2006/12/01 02:27:17 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2006/12/01 02:27:17 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2006/12/01 02:27:17 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2006/12/01 02:02:13 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2006/12/01 02:02:13 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2006/12/01 02:02:13 | 000,009,484 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2006/12/01 02:02:13 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2006/11/06 21:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/11/02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 14:47:37 | 000,331,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 12:33:01 | 000,618,648 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 12:33:01 | 000,104,024 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 09:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 09:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/11/01 03:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/08/11 01:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll
[2006/03/09 20:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/07/23 07:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2010/12/14 00:25:41 | 000,000,000 | ---D | M] -- C:\Users\smpareja\AppData\Roaming\InterVideo
[2011/02/22 00:33:30 | 000,000,000 | ---D | M] -- C:\Users\smpareja\AppData\Roaming\Western Digital
[2011/10/17 21:41:12 | 000,032,546 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

[Advertisements]

Hello mlpjd and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Please find another, clean, PC and change your mail password. That should stop spam from your account.

Step 2

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost;localhost
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5400
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 4

Please don't forget to include these items in your reply:

• OTL fix log
• Malwarebytes log

It would be helpful if you could post each log in separate post

[maliprog]

Hello mlpjd and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

Please find another, clean, PC and change your mail password. That should stop spam from your account.

Step 2

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost;localhost
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5400
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 3

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 4

Please don't forget to include these items in your reply:

• OTL fix log
• Malwarebytes log

It would be helpful if you could post each log in separate post

[mlpjd]

Hello maliprog. Thank you for your help! I will try follow your instructions as exactly as I can. I truly appreciate your time.

1. Changed password to the yahoo mail account from a different (and presumably uninfected) computer.

2. Ran your custom fix through OTL. The log is below.

And now I will work on the rest of your instructions, and post the rest of your requested items.

Thanks. mlpjd

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\smpareja\Desktop\cmd.bat deleted successfully.
C:\Users\smpareja\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Parejas

User: Public

User: smpareja
->Temp folder emptied: 14429516 bytes
->Temporary Internet Files folder emptied: 936315526 bytes
->Java cache emptied: 162017 bytes
->Flash cache emptied: 2232 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 36370042 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 942.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 10212011_132900

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[mlpjd]

Hello again. I think I've now done everything that you asked for. I downloaded and ran Malwarebytes, but it didn't prompt me to clean, fix, or disinfect anything. It just posted the log shown below. What's next?

Thanks again!
mlpjd

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7993

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

10/21/2011 3:51:04 PM
mbam-log-2011-10-21 (15-51-04).txt

Scan type: Quick scan
Objects scanned: 161019
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[maliprog]

Good work. Let's see VRT log

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

[mlpjd]

Hi malinprog. Well, things just got worse. *sigh*

I ran Kaspersky Virus Removal tool, per your instructions. I have nothing to post because it didn't detect anything. BUT there were several files that it said were "password protected". I know those are not mine, because I don't have any password protected files. I'm not sure how to get a list of those files to show you.

AND here's the latest problem. My OTHER yahoo mail account (I have two, one for spammy kinds of things and one that's real) had a bunch of Facebook posts in it, but I don't have a Facebook page associated with that email. There were no unfamiliar e-mails in my sent or trash folders. But clearly someone or something created a Facebook page using my email address! I went into Facebook and was able to change the password and then deactivate the account (I did this from the infected computer though, just to get it done). The facebook page was completely unrelated to any information about me, other than it used my e-mail address as the primary and only contact. I also had a trusted person change the password to the Yahoo account from a presumably safe computer. But geez! That's kinda freaky. What in the world could be wrong? Do you suppose all my passwords are compromised? Do you suppose there is a person behind this, or is it more likely a nasty machine program.

Thanks for your help. I anxiously await your reply.
mlpjd

[mlpjd]

Me again maliprog. I did figure out how to save an automatic scan report from Kasperski, which shows the password protected files. Not sure if it will help, but I figured it couldn't hurt to send it along. It's super big though, so I'm only sending the files that say password protected. Let me know if you want more.

Thanks!
mlpjd

10/24/2011 11:06:50 AM Password protected C:\Documents and Settings\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/#
10/24/2011 12:19:01 PM Password protected C:\Users\smpareja\AppData\Local\Temp\RarSFX0\6827620rar.exe
10/24/2011 11:06:46 AM Password protected C:\Documents and Settings\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/6827620rar.exe
10/24/2011 1:34:33 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/#
10/24/2011 1:34:30 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/6827620rar.exe
10/24/2011 11:27:45 AM Password protected C:\Documents and Settings\smpareja\Local Settings\Temp\RarSFX0\6827620rar.exe
10/24/2011 12:26:30 PM Password protected C:\Users\smpareja\Local Settings\Temp\RarSFX0\6827620rar.exe
10/24/2011 12:20:22 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/#
10/24/2011 12:20:20 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/6827620rar.exe
10/24/2011 1:49:40 PM Password protected C:\Documents and Settings\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/#
10/24/2011 1:55:51 PM Password protected C:\Documents and Settings\smpareja\Local Settings\Temp\RarSFX0\6827620rar.exe
10/24/2011 1:49:39 PM Password protected C:\Documents and Settings\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/6827620rar.exe
10/24/2011 2:22:58 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/#
10/24/2011 2:29:21 PM Password protected C:\Users\smpareja\Local Settings\Temp\RarSFX0\6827620rar.exe
10/24/2011 2:22:56 PM Password protected C:\Users\smpareja\Desktop\setup_11.0.0.1245.x01_2011_10_24_09_43.exe/6827620rar.exe
10/24/2011 2:21:13 PM Password protected C:\Users\smpareja\AppData\Local\Temp\RarSFX0\6827620rar.exe
10/24/2011 1:48:11 PM Password protected C:\Documents and Settings\smpareja\AppData\Local\Temp\RarSFX0\6827620rar.exe
10/24/2011 11:04:57 AM Password protected C:\Documents and Settings\smpareja\AppData\Local\Temp\RarSFX0\6827620rar.exe
10/24/2011 11:39:54 AM Packed: WiseSFXDropper C:\Program Files\DesktopDialer\sw_lic_full_installer.exe

[maliprog]

Hi mlpjd,

I don't see any malware on your system now. This probably happened in the same time as your first mail account was compromised.

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. Also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

Beside you lost your passwords is there any other problem with your system that you can relate to malware?

[mlpjd]

My system is running very slowly. When I got online today, I couldn't type www.yahoo.com into the address bar, I had to get into yahoo through google. But now it's working. Last night I gave up trying to read email ... my computer wouldn't pull up individuals messages, but was cycling through files on the bottom indicator bar (some of which I recognized from when Yahoo is slow and some I didn't recognize).

The problem with my other acount occured AFTER the initial fix you had me do. So wouldn't that mean there is a still a problem with my system?

And what are those password protected files?

But you think my computer is clean? Perhaps it is (I hope so!). Do you think the malware stole my passwords? I'm not sure I CAN change all those passwords ... you can't do anything these days without a password! But I can try. Why would I need to do that from a different computer though, if this one is clean.

Thanks again for your help, and sorry for all the questions. I guess I just dont' really understand.
MLPJD

[maliprog]

OK. Let's do some more scans and try to figure out what's wrong with your system. Maybe malware are hiding somewhere from us .

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[mlpjd]

Thanks for sticking with me maliprog. Today, my computer is running much faster. Perhaps it was just a terrible internet connection yesterday. But I really want to make sure the problem is fixed.

So, I followed your instructions. But I'm a bit worried the medicine is worse than the illness, though. My internet connection wouldn't start up on a double click. It said an "illegal operation was attempted on a registry key that has been marked for deletion" and gave the file c:\Program Files\Orange\Internet Everywhere\Launcher\Launcher.exe. I was able to open it by right clicking and running it as administrator. Same thing happened when I tried to open Internet Explorer.

And, most distressing, I cannot open the text file with the log! It says "c:\ComboFix.txt Illegal opertion attempted on a registry key that has been marked for deletion" and I can't seem to open it as administrator like the programs. HELP!!!

MLPJD

[maliprog]

I see. Please turn OFF you PC. After 5 min turn it ON. Do not restart it. Let me know results after that.

[mlpjd]

Weellll, I took a deep breath and rebooted, worried that I wouldn't even be able to start my computer again. But now things are running normal again. *sigh* Not sure what happened. Anyway, here is the Combofix log. Let me know what you think. Thanks again.

MLPJD

ComboFix 11-10-26.05 - smpareja 10/26/2011 18:59:58.1.2 - x86
Running from: c:\users\smpareja\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-26 to 2011-10-26 )))))))))))))))))))))))))))))))
.
.
2011-10-26 17:41 . 2011-10-26 17:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-24 08:34 . 2011-10-24 08:34 -------- d-----w- c:\programdata\Kaspersky Lab
2011-10-21 13:39 . 2011-10-21 13:39 -------- d-----w- c:\users\smpareja\AppData\Roaming\Malwarebytes
2011-10-21 13:38 . 2011-10-21 13:38 -------- d-----w- c:\programdata\Malwarebytes
2011-10-21 13:38 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-21 13:38 . 2011-10-21 13:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-21 11:29 . 2011-10-21 11:29 -------- d-----w- C:\_OTL
2011-09-27 09:48 . 2011-10-18 07:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-19 13:59 . 2011-09-02 15:04 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-08-15 08:00 . 2011-09-02 15:05 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 08:00 . 2011-09-02 15:04 89624 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-08-15 08:00 . 2011-09-02 15:04 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 08:00 . 2011-09-02 15:04 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 08:00 . 2011-09-02 15:04 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 08:00 . 2011-09-02 15:04 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 08:00 . 2011-09-02 15:04 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 08:00 . 2011-09-02 15:04 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 08:00 . 2011-09-02 15:04 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-08-15 08:00 . 2011-09-02 15:04 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 19:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 19:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-11-06 49168]
"NDSTray.exe"="NDSTray.exe" [BU]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-11-23 409264]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-11-28 52912]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-11-20 446128]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-11-29 523952]
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-10-31 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-14 30192]
"SlipStream"="c:\program files\WebRunner Accelerator\wrcore.exe" [2010-04-08 319488]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"IEWINTERNET-SPSessionManager"="c:\program files\Orange\Internet Everywhere\SessionManager\SessionManager.exe" [2009-08-27 140016]
"CardDetectorHUAWEI1752_1552"="c:\program files\CardDetector\HUAWEI1752_1552\CardDetector.exe" [2009-08-27 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\smpareja\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2011-3-18 333088]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
WebRunner Accelerator.lnk - c:\program files\WebRunner Accelerator\wrgui.exe [2010-12-13 204800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 19:34 52224 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
2;2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-12-14 30192]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-06-23 103040]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-08-15 89624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-28 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lawschool.unm.edu/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\progra~1\WEBRUN~1\sliplsp.dll
Trusted Zone: intuit.com\ttlc
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-26 19:45
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????M?LFI????q?8?q?p?q???q???
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1300)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-10-26 19:50:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-26 17:50
.
Pre-Run: 49,359,380,480 bytes free
Post-Run: 49,121,828,864 bytes free
.
- - End Of File - - 3AF4CBC448E5403FD03DE9BBB24574DB

[maliprog]

Take a look at my last post . We must cross-posted. Glad to hear that your system is good now.

Combofix did good job. How is your system now? Can you test it for couple of hours and get back to me with results. If all goes well I'll post some cleanup for you.

[maliprog]

Hi mlpjd,

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

• Click Start, click Run, type sysdm.cpl, and then press ENTER.
• Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
• Click OK button

2. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.