57 replies to this topic

[gringo_pr]

Hello milkman Are you still unable to get into the task manager? Gringo

[milkman0]

I cannot access the task manager in normal mode. I can only access the task manager in safe mode. How extensive are my infections? I am wondering if I should be thinking about just backing up my data and reformatting. What do you think?

[gringo_pr]

Hello milkman I want you to try something while in normal mode, press the windows key and the R key at the same time if the run box popsup i want you to type in Sfc /Scannow let it finish then type in CHKDSK C: /F let it finish it may ask for your xp cd let me know what happens gringo

[gringo_pr]

How extensive are my infections? I am wondering if I should be thinking about just backing up my data and reformatting. What do you think?

there are things to try first, reformat is a last resort but it is an option.

I think most of the infections are gone
it is just a matter of fixing the damage that was done

Gringo

[milkman0]

The window-R didn't work. It was unresponsive to any keystroke combination. Would this help to try this while in safe mode?

[gringo_pr]

Hello milkman

before we go any further I want you to install the recovery console

: Recovery Console :

we need to install the Recovery Console on this computer
this is very important it could save you later

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



the one for you is Windows XP Service Pack 2 (SP2)

Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.


gringo

[milkman0]

Done.

---------------------------------------------------------------------
---------------------------------------------------------------------
ComboFix 08-04-29.3 - Administrator 2008-05-08 6:47:28.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-06 06:48 . 2008-05-06 06:48 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-05-05 22:06 . 2007-06-28 14:36 401,720 --a------ C:\Administrator.exe
2008-05-04 08:46 . 2008-05-04 08:46 <DIR> d-------- C:\Deckard
2008-05-04 07:59 . 2008-05-04 07:59 <DIR> d-------- C:\Program Files\MBAnti-Malware
2008-05-04 07:59 . 2008-05-04 07:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 07:59 . 2008-05-04 07:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-04 07:49 . 2004-05-13 15:17 10,752 --a------ C:\WINDOWS\system32\clb.dll
2008-05-04 07:49 . 2008-05-04 07:31 5,786 --a------ C:\WINDOWS\system32\clb[1].dll.zip
2008-05-03 21:12 . 2007-06-28 14:36 401,720 --a------ C:\milkman.exe
2008-04-29 21:39 . 2008-04-29 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-29 07:37 . 2008-04-29 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 19:56 . 2005-08-09 15:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-27 19:56 . 2005-08-09 15:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-04-27 19:56 . 2005-08-09 15:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-27 19:56 . 2005-08-09 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-04-27 19:56 . 2005-08-09 15:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-04-27 19:56 . 2006-03-12 16:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-04-27 19:56 . 2008-05-06 06:48 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-27 19:56 . 2008-05-08 06:50 393,216 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-27 19:46 . 2008-04-27 19:46 578 --a------ C:\WINDOWS\index.html
2008-04-27 16:07 . 2004-08-04 05:00 4,224 --a------ C:\WINDOWS\system32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 23:37 24,576 ----a-w C:\WINDOWS\system32\userinit.exe
2008-04-27 22:55 --------- d-----w C:\Documents and Settings\Tommy\Application Data\OpenOffice.org2
2008-03-28 16:01 --------- d-----w C:\Documents and Settings\Tommy\Application Data\skypePM
2008-03-25 19:22 --------- d-----w C:\Documents and Settings\Tommy\Application Data\Skype
2008-03-11 15:32 --------- d-----w C:\Program Files\Phun
2008-03-09 04:47 --------- d-----w C:\Program Files\MediaCoder
2008-02-10 05:26 30,720 ---h--r C:\WINDOWS\CdaC13BA.EXE
2008-02-10 05:26 112,128 ---h--r C:\WINDOWS\CdaC14BA.DLL
2008-02-10 05:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2006-03-04 04:30 1,304,066 ----a-w C:\Program Files\mpc2kxp6482.zip
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_18.12.25.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 12:00:00 110,080 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatex.dll
+ 2004-08-04 12:00:00 501,248 -c--a-w C:\WINDOWS\$NtUninstallKB895200$\clbcatq.dll
- 2008-05-04 00:57:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-08 05:29:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-04 00:57:25 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-04 05:24:20 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-04 00:57:25 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-04 05:24:20 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 00:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"NDSTray.exe"="NDSTray.exe" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52 380928]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-22 12:47 155648]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-29 02:11 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-14 23:21 675840]
"CFSServ.exe"="CFSServ.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 18:17 443968]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tommy^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\Tommy\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2006-10-10 14:23 43520 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-09-16 09:43 274432 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 19:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 13:05 212992 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
--a------ 2004-05-25 14:35 28672 C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 23:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-09-07 14:03 1077301 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 17:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-12-22 12:47 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 16:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 12:17 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a------ 2005-10-18 15:04 1261568 c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 13:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 19:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"iPodService"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ABC\\abc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 21:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 15:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 14:27]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
S3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 17:08]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\MBAnti-Malware\catchme.sys [2008-04-07 20:17]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-06-13 15:16]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-12-27 06:10]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 06:50:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-08 6:52:12
ComboFix-quarantined-files.txt 2008-05-08 13:52:05
ComboFix2.txt 2008-05-04 14:56:57
ComboFix3.txt 2008-05-04 05:52:35
ComboFix4.txt 2008-05-04 01:13:25

Pre-Run: 28,297,166,848 bytes free
Post-Run: 28,293,750,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

180

[gringo_pr]

Hey milkman

here is a collection of small things to try
one thing may not work but maybe together something will happen
I will keep looking for more things to try

:FIXES TASK MANAGER:

Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

fix permissions

Download the DjLizard Repair Permissions and extract the package. This will create a folder called Repair Permissions. Run the !RUNME.BAT file in that folder. Now see if you can get to the Control Panel.

FixPolicies

Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here: http://downloads.mal...FixPolicies.exe

• Double-click FixPolicies.exe.
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies.
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box should briefly appear and then close. This will enable your Control Panel and stop the Administrative warnings, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.

Fix msconfig

Fix msconfig-when no access for XP

• Download >>this File<< from kellys-korner.
• Double-click xp_emergencyutil.exe to run the file.
• Now try Start > Run > type msconfig > OK
• Does msconfig works now?
• Please post back and let me know.

let me know of any changes

gringo

[milkman0]

I will try this when I get home from work. I just want to mention that I <i>can</i> access msconfig from safe mode, just not in normal mode. If there is something in msconfig that you would want me to try I can do it.

[milkman0]

No improvement in normal mode. Still unable to access the task manager or my desktop. However, I had trouble running RatsCheddar. I didn't see the exit button. Attached is the bottom of the Rat's Cheddar program. Can you tell me if this is what it is supposed to look like? I just enabled everything and closed the window since there was no other option. Like I mentioned previously, i have access to msconig and the task manager while in safe mode, just not in normal mode. So let me know if there is something I can try through msconfig or the task manager.

Attached Thumbnails

• 

[gringo_pr]

Hello milkman0

The things I need you to do needs to be done in normal mode ( I tried on my computer in safe mode and it don't work)

I have asked for some help here in the windows forum to see if they could give us some ideas
the link to the topic is here if you would like to follow yourself

http://forums.whatth...ger_t91710.html

we are going to beat this thing yet

gringo

[gringo_pr]

Create a new Administrator account, see if you can access them there. If yes, you can copy the data from his old account to the new one then delete the old one after a while.

see if you can do this if not reply in the other thread so they can get a better feel of the problems


gringo

[milkman0]

I can create a new account and log in under normal mode! Finally, so now I have access to my system under normal mode. Should I perform the steps as described in our last post and run the ratscheddar and etc? Or should I back up my data from the other account? Thanks,

[gringo_pr]

Hello milkman0

I can create a new account and log in under normal mode!

Yes!!!!

Should I perform the steps as described in our last post and run the ratscheddar and etc?

no those were only to get things to where we are now.


send me a hijackthis log in normal mode so we can finish the clean up

you can move your data anytime( in the windows thread I made he goes into some nice instructions on how to move your data)


Gringo

Edited by gringo_pr, 10 May 2008 - 01:33 PM.

[milkman0]

Great! Below is the hijackThis log file. What can I install on my system to ensure this doesn't happen again. Any recommendations?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:35 AM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\milkman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202624207765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6719 bytes