BleepingComputer.com: Vista Home Security Lockdown

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Vista Home Security Lockdown

#16 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 25 April 2011 - 06:00 AM

Hello Desent :)

Since it appears to maybe be isolated to Firefox, let's try this:

How to start Firefox in Safe Mode

At the top of the Firefox window, click the Firefox button, go over to the Help menu and select Restart with Add-ons Disabled.... Firefox will start up with the Firefox Safe Mode dialog.

You now have three options:

  • Clicking the Exit button cancels your attempt to get into Firefox's Safe Mode.

  • Clicking the Continue In Safe Mode button starts Firefox in its Safe Mode. While you are in Safe Mode, your extensions and themes will be disabled, and any toolbar customizations will be reverted back to their defaults. These changes are not permanent - when you leave Safe Mode and start Firefox up normally, your extensions, themes, and settings will return to the state they were in before you entered Safe Mode. (This is the one to choose)

  • The Make Changes and Restart button is only enabled if you select one of the boxes above it, and those are permanent changes.


Now, browse FF and see if you get redirected.
Best Regards,
oneof4.

#17 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 29 April 2011 - 06:59 AM

Hello Desent, are you still with us?
Best Regards,
oneof4.

#18 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,999
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 03 May 2011 - 06:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

#19 User is offline   Andrew 

  • Bleepin' Night Watchman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 7,425
  • Joined: 05-December 05
  • Gender:Not Telling
  • Location:Right behind you

Posted 09 May 2011 - 05:39 PM

Reopened by OP request.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.
Posted Image
Boredom Software Stop Highlighting Things

#20 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 09 May 2011 - 10:06 PM

Hello Desent, Welcome back!

Please follow my instructions in post #16.
Best Regards,
oneof4.

#21 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 12 May 2011 - 05:01 PM

Calling Desent....are you there?
Best Regards,
oneof4.

#22 User is offline   Desent 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 01-April 11

Posted 14 May 2011 - 03:28 PM

so I restarted ff in safe mode and am no longer redirected. However, a more concerning concern is the fact that Vista Home Security has been coming back. As soon as it came back the first and second times, I ran combofix. It hasn't come back yet, but it probably will. I also could not run a gmer scan, I would BSoD and my computer would restart part-way through. I was not able to look at the error message was for long enough to see what it was. Do you want me to do it again?

Attached File(s)

  • Attached File  DDS.txt (13.12K)
    Number of downloads: 1
  • Attached File  Attach.txt (14.26K)
    Number of downloads: 1

#23 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 16 May 2011 - 09:30 AM

Hi :)

You mention that you have re-run ComboFix to deal with the re-occurance of Vista Home Security; could you please copy and paste those logs into a reply.
Best Regards,
oneof4.

#24 User is offline   Desent 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 01-April 11

Posted 16 May 2011 - 05:04 PM

ComboFix 11-04-20.04 - Desent 04/21/2011 8:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1014.334 [GMT -4:00]
Running from: c:\users\Desent\Desktop\ComboFix.exe
Command switches used :: c:\users\Desent\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Desent\AppData\Roaming\Adobe\AdobeUpdate .exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 13:18 . 2011-04-21 13:19 -------- d-----w- c:\users\Desent\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Mommy\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Mommy.Desent-PC\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Guest.Desent-PC\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Benjamin\AppData\Local\temp
2011-04-21 13:18 . 2011-04-21 13:18 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-04-19 20:04 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EED5E07A-E162-4FBC-A909-25D235D6378C}\mpengine.dll
2011-04-19 00:43 . 2011-04-19 00:43 -------- d-----w- c:\program files\TurboGo
2011-04-16 19:12 . 2011-04-16 19:15 -------- d-----w- c:\users\Desent\AppData\Local\ChemTable Software
2011-04-16 19:08 . 2011-04-16 19:08 -------- d-----w- c:\users\Desent\AppData\Roaming\ChemTable Software
2011-04-16 19:05 . 2011-04-16 19:06 -------- d-----w- c:\program files\Registry Life
2011-04-16 17:10 . 2011-04-16 18:02 -------- d-----w- c:\users\Desent\AppData\Local\Promosoft Corporation
2011-04-15 23:17 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-15 23:17 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-15 23:17 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-15 23:17 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-15 23:16 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-15 23:16 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-15 23:16 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-15 23:16 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-15 23:16 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-15 23:16 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-15 23:16 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-15 23:16 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-15 23:15 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-15 23:15 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-15 23:06 . 2011-02-18 16:38 834048 ----a-w- c:\windows\system32\wininet.dll
2011-04-15 23:06 . 2011-02-18 14:49 389632 ----a-w- c:\windows\system32\html.iec
2011-04-15 23:06 . 2011-02-18 15:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-15 23:06 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-15 23:05 . 2011-02-16 16:21 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-04-15 23:05 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-15 22:15 . 2011-04-15 22:15 -------- d-----w- c:\users\Desent\AppData\Local\Tific
2011-04-07 21:42 . 2008-01-02 21:33 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-03-30 22:59 . 2011-03-30 22:59 -------- d-----w- c:\users\Desent\AppData\Roaming\Avira
2011-03-30 22:56 . 2011-03-04 20:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-30 22:56 . 2011-03-04 18:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-30 22:56 . 2011-03-30 22:56 -------- d-----w- c:\programdata\Avira
2011-03-30 22:56 . 2011-03-30 22:56 -------- d-----w- c:\program files\Avira
2011-03-27 02:10 . 2011-03-27 02:10 -------- d-----w- c:\users\Desent\AppData\Roaming\Tific
2011-03-24 19:37 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 19:37 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 19:37 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 19:37 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 19:37 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 19:37 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 19:37 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 19:37 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-23 21:23 . 2011-03-23 21:24 -------- d-----w- c:\users\Mommy.Desent-PC\AppData\Local\Tific
2011-03-23 21:23 . 2011-03-23 21:23 -------- d-----w- c:\users\Mommy.Desent-PC\AppData\Roaming\Tific
2011-03-23 21:20 . 2011-03-23 21:20 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-03-23 21:20 . 2011-03-23 21:20 -------- d-----w- c:\programdata\Norton
2011-03-23 21:19 . 2011-03-23 21:19 -------- d-----w- c:\program files\NortonInstaller
2011-03-23 09:16 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 09:16 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 09:16 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 02:59 . 2011-02-18 02:59 217207 ----a-w- c:\programdata\SPL6AB4.tmp
2011-02-03 01:40 . 2011-03-19 18:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 22:11 . 2009-10-03 21:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 20:27 . 2011-01-26 20:27 0 ----a-w- c:\users\Desent\AppData\Local\Jwepujili.bin
2011-03-18 17:53 . 2011-03-24 19:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-01-04 22:03 . 2008-09-20 00:36 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-23 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-01-04 30192]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IKB"="c:\program files\Bigler\IKB\IKB.EXE" [2008-12-24 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"DLCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-12-3 394856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-01-04 30192]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-11-05 271856]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-11-05 218608]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-04-26 3735920]
R3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-10-29 153760]
R3 TDEIO;TDEIO;c:\windows\SYSTEM32\SYSPREP\tdeio.sys [2006-09-19 16512]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe [2007-03-01 538096]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2011-03-23 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-06-01 252416]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{56B07168-9376-4757-853C-985F8FAC14D3}.job
- c:\windows\system32\msfeedssync.exe [2008-05-14 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Desent\AppData\Roaming\Mozilla\Firefox\Profiles\rd5k2p82.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
AddRemove-Playsushi - c:\program files\PlaySushi\psuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 09:19
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????@??b?R??? Q???Q?@?Q?X?Q?p?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-04-21 09:29:42
ComboFix-quarantined-files.txt 2011-04-21 13:29
ComboFix2.txt 2011-04-15 21:32
.
Pre-Run: 45,933,920,256 bytes free
Post-Run: 44,460,396,544 bytes free
.
- - End Of File - - 68107E81E965139B86F680B96A41B9A4

#25 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 17 May 2011 - 06:57 AM

Hello Desent :)

The CF log you provided is the first one you ran back on 4/21/11. If you have re-run CF since then, there should be additional logs in the C:\Quoobox folder; they will appear like the following example, depending upon how many additional runs you made:

C:\qoobox\ComboFix2.txt 2009-12-29 17:07:26
C:\qoobox\ComboFix3.txt 2009-12-27 20:42:53
C:\qoobox\ComboFix4.txt 2009-12-27 15:56:10
C:\qoobox\ComboFix5.txt 2009-12-27 15:33:58

What I would like to see are the logs created after the one from 4/21/11.
Best Regards,
oneof4.

#26 User is offline   Desent 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 11
  • Joined: 01-April 11

Posted 17 May 2011 - 04:14 PM

ComboFix 11-05-06.02 - Desent 05/06/2011 16:51:26.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1014.284 [GMT -4:00]
Running from: c:\users\Desent\Desktop\ComboFix.com
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Desent\AppData\Local\bag.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
.
.
2011-05-06 21:13 . 2011-05-06 21:14 -------- d-----w- c:\users\Desent\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Mommy\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Mommy.Desent-PC\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Guest.Desent-PC\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Benjamin\AppData\Local\temp
2011-05-06 21:13 . 2011-05-06 21:13 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-05-06 12:42 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{310B2DAB-CD3E-4784-A87E-8CD1B8BF4FFA}\mpengine.dll
2011-04-27 11:26 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 11:26 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 11:25 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-19 00:43 . 2011-04-19 00:43 -------- d-----w- c:\program files\TurboGo
2011-04-16 19:12 . 2011-04-16 19:15 -------- d-----w- c:\users\Desent\AppData\Local\ChemTable Software
2011-04-16 19:08 . 2011-04-16 19:08 -------- d-----w- c:\users\Desent\AppData\Roaming\ChemTable Software
2011-04-16 19:05 . 2011-04-16 19:06 -------- d-----w- c:\program files\Registry Life
2011-04-16 17:10 . 2011-04-16 18:02 -------- d-----w- c:\users\Desent\AppData\Local\Promosoft Corporation
2011-04-15 23:17 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-15 23:17 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-15 23:17 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-15 23:17 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-15 23:16 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-15 23:16 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-15 23:16 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-15 23:16 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-15 23:16 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-15 23:16 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-15 23:16 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-15 23:16 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-15 23:15 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-15 23:15 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-15 23:06 . 2011-02-18 16:38 834048 ----a-w- c:\windows\system32\wininet.dll
2011-04-15 23:06 . 2011-02-18 14:49 389632 ----a-w- c:\windows\system32\html.iec
2011-04-15 23:06 . 2011-02-18 15:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-15 23:06 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-04-15 23:05 . 2011-02-16 16:21 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-04-15 23:05 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-15 22:15 . 2011-04-22 19:34 -------- d-----w- c:\users\Desent\AppData\Local\Tific
2011-04-07 21:42 . 2008-01-02 21:33 172032 ----a-w- c:\windows\system32\igfxres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 20:11 . 2011-03-30 22:56 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-04 18:37 . 2011-03-30 22:56 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-03 15:40 . 2011-04-27 11:26 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 11:26 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 11:26 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 11:26 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-02-22 14:13 . 2011-03-23 09:16 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 09:16 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 09:16 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-18 02:59 . 2011-02-18 02:59 217207 ----a-w- c:\programdata\SPL6AB4.tmp
2011-04-29 00:57 . 2011-03-24 19:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-01-04 22:03 . 2008-09-20 00:36 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-05-18 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-19 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-23 894248]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-01-04 30192]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-05-04 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"IKB"="c:\program files\Bigler\IKB\IKB.EXE" [2008-12-24 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"DLCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2006-10-20 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\users\Benjamin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Mommy.Desent-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-12-3 394856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2011-01-04 30192]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-11-05 271856]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-11-05 218608]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-04-26 3735920]
R3 NUVision;NUVision II Video Service;c:\windows\system32\DRIVERS\nuvvid2.sys [2001-10-29 153760]
R3 TDEIO;TDEIO;c:\windows\SYSTEM32\SYSPREP\tdeio.sys [2006-09-19 16512]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-28 136360]
S2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe [2007-03-01 538096]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\SymcPCCULaunchSvc.exe [2011-03-23 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe [2009-08-24 126392]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-06-01 252416]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-06 c:\windows\Tasks\User_Feed_Synchronization-{56B07168-9376-4757-853C-985F8FAC14D3}.job
- c:\windows\system32\msfeedssync.exe [2008-05-14 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Desent\AppData\Roaming\Mozilla\Firefox\Profiles\rd5k2p82.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-06 17:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????@??b?R??? Q???Q?@?Q?X?Q?p?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-05-06 17:25:29
ComboFix-quarantined-files.txt 2011-05-06 21:25
ComboFix2.txt 2011-04-21 13:29
ComboFix3.txt 2011-04-15 21:32
.
Pre-Run: 49,094,062,080 bytes free
Post-Run: 48,890,974,208 bytes free
.
- - End Of File - - 98D01FAB90C7541ABCDD4A6E4C8098A5

#27 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 22 May 2011 - 09:29 PM

Hello Desent :)

Since your redirects seem isolated to FireFox, let's try this:

  • Disable all of your plug-ins (Click the Firefox tab at the top left corner, then choose Add-ons. Click Plugins and go through and Disable each one, except for the first one.)
  • Now perform 7 - 10 searches, if no redirects then go and enable the next Add-on in the list.
  • Repeat this process until you find the Add-on that's causing the redirects.

Best Regards,
oneof4.

#28 User is offline   oneof4 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Senior
  • Posts: 2,466
  • Joined: 25-December 08
  • Gender:Male
  • Location:The Collective

Posted 26 May 2011 - 05:17 PM

Desent, are you still with me?
Best Regards,
oneof4.

#29 User is offline   Elise 

  • Bleepin' Blonde
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Study Hall Admin
  • Posts: 38,999
  • Joined: 05-October 07
  • Gender:Female
  • Location:Romania

Posted 30 May 2011 - 05:57 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton
Posted Image Follow BleepingComputer on: Facebook | Twitter | Google+

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users