Can someone please analyze this log?

[KarenLee]

I just recently had a major virus cleaned from my laptop and would truly appreciate it if someone can analyze this Hijack log for me. Also, I understand that all "04" lines are start up programs. If that is true, can you tell me which ones that I are safe to disable from starting up? Thank you

Log created by WinPatrol PLUS version 32.0.2014.5:32.0.2014.5
Scan saved at 6:05:49 PM, on 9/20/2014
Platform: Windows 8.1 Home Edition
Windows x64 Version 6.3 Build 9600 2
MSIE: Internet Explorer (11.00.9600.16384)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES (X86)\MALWAREBYTES ANTI-MALWARE\mbam.exe
C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\Engine\21.5.0.19\nis.exe
C:\PROGRAM FILES (X86)\Toshiba\SYSTEM SETTING\TssSrv.exe
C:\PROGRAM FILES (X86)\Ruiware\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES (X86)\Ruiware\WINPATROL\WINPATROLEX.EXE
C:\PROGRAM FILES (X86)\INTERNET EXPLORER\iexplore.exe
C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\firefox.exe
C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGIN-CONTAINER.EXE
C:\Windows\SysWOW64\Macromed\Flash\FLASHPLAYERPLUGIN_15_0_0_152.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by TOSHIBA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by TOSHIBA
O4 - HKLM\..\Run: [IgfxTray]C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TSSSrv]C:\Program Files (x86)\Toshiba\System Setting\TssSrv.exe
O4 - HKLM\..\Run: [TecoResident]C:\Program Files\TOSHIBA\Teco\TecoResident.exe
O4 - HKLM\..\Run: [TCrdMain]C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
O4 - HKLM\..\Run: [ThpSrv]C:\Windows\system32\thpsrv /logon
O4 - HKLM\..\Run: [Logitech Download Assistant]C:\Windows\System32\LogiLDA.dll,LogiFetch
O4 - HKCU\..\Run: [SUPERAntiSpyware]C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinPatrol PLUS]C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe -expressboot
O4 - HKU\..\Run: [AmIcoSinglun64]C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
O4 - HKU\..\Run: [1.TPUReg]C:\Program Files (x86)\Toshiba\PasswordUtility\readLM.exe
O4 - HKU\..\Run: [TSVU]c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe
O4 - HKU\..\Run: [ToshibaAppPlace]C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe
O11 - Options group: [Accelerated graphics] Accelerated graphics - C:\Windows\System32
O11 - Options group: [] -
O23 - Service: SAS Core Service - SUPERAntiSpyware.com - C:\PROGRAM FILES\SUPERANTISPYWARE\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service - Adobe Systems Incorporated - C:\PROGRAM FILES (X86)\COMMON FILES\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AtherosSvc - Windows (R) Win 7 DDK provider - C:\PROGRAM FILES (X86)\BLUETOOTH SUITE\ADMINSERVICE.EXE
O23 - Service: Intel(R) Content Protection HECI Service - Intel Corporation - C:\Windows\SysWOW64\INTELCPHECISVC.EXE
O23 - Service: DTS APO Service - DTS, Inc - C:\PROGRAM FILES (X86)\DTS, Inc\DTS STUDIO SOUND\DTS_APO_SERVICE.EXE
O23 - Service: GFNEX Service - Toshiba - C:\PROGRAM FILES (X86)\Toshiba\PASSWORDUTILITY\GFNEXSrv.exe
O23 - Service: Google Update Service (gupdate) - Google Inc. - C:\PROGRAM FILES (X86)\Google\Update\GOOGLEUPDATE.EXE
O23 - Service: Google Update Service (gupdatem) - Google Inc. - C:\PROGRAM FILES (X86)\Google\Update\GOOGLEUPDATE.EXE
O23 - Service: Intel(R) Capability Licensing Service Interface - Intel(R) Corporation - C:\PROGRAM FILES\Intel\ICLS CLIENT\HECISERVER.EXE
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\PROGRAM FILES\Intel\ICLS CLIENT\SOCKETHECISERVER.EXE
O23 - Service: Intel(R) ME Service - Intel Corporation - C:\PROGRAM FILES (X86)\Intel\INTEL(R) MANAGEMENT ENGINE COMPONENTS\FWSERVICE\INTELMEFWSERVICE.EXE
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service - Intel Corporation - C:\PROGRAM FILES (X86)\Intel\INTEL(R) MANAGEMENT ENGINE COMPONENTS\DAL\JHI_SERVICE.EXE
O23 - Service: Intel(R) Management and Security Application Local Management Service - Intel Corporation - C:\PROGRAM FILES (X86)\Intel\INTEL(R) MANAGEMENT ENGINE COMPONENTS\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\PROGRAM FILES (X86)\MALWAREBYTES ANTI-MALWARE\MBAMSCHEDULER.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\PROGRAM FILES (X86)\MALWAREBYTES ANTI-MALWARE\MBAMSERVICE.EXE
O23 - Service: Mozilla Maintenance Service - Mozilla Foundation - C:\PROGRAM FILES (X86)\MOZILLA MAINTENANCE SERVICE\MAINTENANCESERVICE.EXE
O23 - Service: Norton Internet Security - Symantec Corporation - C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\Engine\21.5.0.19\nis.exe
O23 - Service: Audio Service - IDT, Inc. - C:\PROGRAM FILES\IDT\WDM\stacsv64.exe
O23 - Service: taisregispinger - Toshiba America Information Systems. - C:\PROGRAM FILES (X86)\Toshiba\TOSHIBAREGISTRATION\TAISREGISTPINGER.EXE
O23 - Service: TOSHIBA HDD Protection - TOSHIBA Corporation - C:\WINDOWS\SYSTEM32\THPSRV.EXE
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\PROGRAM FILES\TOSHIBA\TOSHIBA SERVICE STATION\TMACHINFO.EXE
O23 - Service: TOSHIBA Optical Disc Drive Service - TOSHIBA Corporation - C:\WINDOWS\SYSTEM32\TODDSRV.EXE
O23 - Service: TOSHIBA eco Utility Service - Toshiba Corporation - C:\PROGRAM FILES\TOSHIBA\Teco\TECOSERVICE.EXE

--- Additional WinPatrol Info ---
Default Browser: TOSHIBA eco Utility - TOSHIBA eco Utility Service version 2.0.0.17
MSIE: Internet Explorer (11.00.9600.16384)
Firefox 32.0.2 installed in C:\Program Files (x86)\Mozilla Firefox.
5 IE Cookies in Folder: C:\Users\Karen\AppData\Local\Microsoft\Windows\INetCookies\
244 Mozilla Cookies in Folder: C:\Users\Karen\AppData\Roaming\Mozilla\FireFox\Profiles\ulwtiw2j.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\Windows\system32\cmd.exe


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [SUPERAntiSpyware Scheduled Task 4e51cd87-8ff0-4647-8d48-ed050d20c683.job]C:\Program Files\SUPERAntiSpyware\SASTask.exe 09/21/2014 6:24 AM
WP31 - Scheduled Tasks: [SUPERAntiSpyware Scheduled Task 0caebfbb-3493-4e4d-87b7-1dfc8bfe091a.job]C:\Program Files\SUPERAntiSpyware\SASTask.exe Never
WP31 - Scheduled Tasks: [GoogleUpdateTaskMachineUA.job]C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/20/2014 6:02 PM
WP31 - Scheduled Tasks: [GoogleUpdateTaskMachineCore.job]C:\Program Files (x86)\Google\Update\GoogleUpdate.exe 09/20/2014 6:02 PM

WP16 - ActiveX: {25336920-03F9-11CF-8FD0-00AA00686F13} [HTML Document] C:\Windows\SysWOW64\mshtml.dll 11.00.9600.16410
WP16 - ActiveX: {2933BF90-7B36-11D2-B20E-00C04F983E60} [XML DOM Document] C:\Windows\System32\msxml3.dll 8.110.9600.16384
WP16 - ActiveX: {55136805-B2DE-11D1-B9F2-00A0C98BC547} [Shell Name Space] C:\Windows\SysWOW64\ieframe.dll 11.00.9600.16412
WP16 - ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} [Shockwave Flash Object] C:\Windows\System32\Macromed\Flash\Flash.ocx 11,8,800,133
WP16 - ActiveX: {05589fa1-c356-11ce-bf01-00aa0055595a} [ActiveMovieControl Object] C:\Windows\System32\wmpdxm.dll 12.0.9600.16384
WP16 - ActiveX: {2272AE7A-0C30-48E1-91DF-F9E666276C0C} [msouplug] C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\Engine64\21.5.0.19\msouplug.dll 21.5
WP16 - ActiveX: {52A2AAAE-085D-4187-97EA-8C30DB990436} [HHCtrl Object] C:\Windows\System32\hhctrl.ocx 6.3.9600.16384
WP16 - ActiveX: {54CE37E0-9834-41ae-9896-4DAB69DC022B} [Microsoft RDP Client Control (redistributable) - version 5a] C:\Windows\System32\mstscax.dll 6.3.9600.16384
WP16 - ActiveX: {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} [IEContextMenu Class] C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\Engine64\21.5.0.19\navshext.dll 21.5

WP32 - Hidden File: C:\bootmgr
WP32 - Hidden File: C:\BOOTNXT
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\swapfile.sys
WP32 - Hidden File: C:\Windows\WindowsShell.Manifest
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-identity-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-runtime-internal-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-state-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-appmodel-state-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-base-bootconfig-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-base-util-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-apiquery-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-appcompat-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-appcompat-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-appinit-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-atoms-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-bem-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-bicltapi-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-bicltapi-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-biplmapi-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-biplmapi-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-biptcltapi-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-biptcltapi-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-calendar-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-com-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-com-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-com-private-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-comm-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-console-l2-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-crt-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-crt-l2-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-datetime-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-debug-l1-1-1.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
WP32 - Hidden File: C:\Windows\System32\api-ms-win-core-delayload-l1-1-1.dll

WP33 - File Type .AVI: [Video Clip]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [Windows Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\Windows\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\Windows\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows Command Script]%1 %*
WP33 - File Type .DOC: [Microsoft Office]C:\PROGRA~2\MICROS~2\Office15\FIRSTRUN.EXE /OEM %1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JavaScript File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\Windows\System32\msiexec.exe /i %1 %*
WP33 - File Type .MSG: [Microsoft Office]C:\PROGRA~2\MICROS~2\Office15\FIRSTRUN.EXE /OEM %1
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files (x86)\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files (x86)\OpenOffice 4\program\\swriter.exe -o %1
WP33 - File Type .SCR: [Screen saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Windows host process (Rundll32)]C:\Windows\System32\rundll32.exe C:\Windows\System32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Office]C:\PROGRA~2\MICROS~2\Office15\FIRSTRUN.EXE /OEM %1

Memory currently in use: 35%
Physical Memory Free: 4,194,303 KB
Paging File Free: 4,194,303 KB
Virtual Memory Free: 1,981,344 KB

 

[KarenLee]

No one is helping me? I did a restore of my laptop but find stuff on it that should have been wiped out. How do I clean all of that up and is anyone going to analyze my log?

 

[carnageX]

Log looks fine as far as I can tell.

What exactly do you mean by "stuff that should have been wiped out" ?

Firstly, ditch Norton and switch to something like Avira, Avast!, or BitDefender Free. If you insist on paying for an AV, then go with Kaspersky, BitDefenderPro, or ESET. All are better choices than Norton.

Secondly, run a scan with Malwarebytes Antimalware. Post the log here.

Thirdly, run TDSSKiller and Panda Anti-Rootkit. Post results here.

 

[KarenLee]

Thank you for replying. I am just running the Norton free 30 day trial and have no intentions of purchasing it. I don't like Norton at all. Just using it for now due to my computer being hacked. In all my years of owning a computer, I have never been hacked like that before until this stupid laptop was purchased. I am planning on purchasing something other than what I currently have, which is Malewarebytes and superantispyware and winpatrol.

The virus or trojan was found by malewarebytes, but it linked itself to it on reboot and crashed my laptop.

Again, thank you.

 

[KarenLee]

When I did a complete restore and I looked up things that had been on the laptop previously, they came up. That is what I mean by things not being wiped out. I pulled up contacts from google and even photos that I had downloaded before the restoration that should have been wiped out.

 

[carnageX]

Thank you for replying. I am just running the Norton free 30 day trial and have no intentions of purchasing it. I don't like Norton at all. Just using it for now due to my computer being hacked. In all my years of owning a computer, I have never been hacked like that before until this stupid laptop was purchased. I am planning on purchasing something other than what I currently have, which is Malewarebytes and superantispyware and winpatrol.

The virus or trojan was found by malewarebytes, but it linked itself to it on reboot and crashed my laptop.

Again, thank you.

MBAM isn't an AV.

Avira, Avast, or BitDefender Free are all good free AV's.

Never heard of WinPatrol.

When I did a complete restore and I looked up things that had been on the laptop previously, they came up. That is what I mean by things not being wiped out. I pulled up contacts from google and even photos that I had downloaded before the restoration that should have been wiped out.

Do you have it set to Sync automatically?

Sent from my Nexus 7 using Tapatalk

 

[KarenLee]

I don't believe I have it set to sync automatically. WinPatrol is what I used to post the log from the original post. It is a 'start up' application that lets u know when a program is wanting start up without you knowing it. I have several things running on this laptop that I am sure do not need to be running, but am a bit ignorant in disabling them at this point.