Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Mal/Generic-A


  • This topic is locked This topic is locked
25 replies to this topic

#1 jlcardinal

jlcardinal

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 08 July 2009 - 01:44 AM

Hello! Thank you, first and foremost, for giving your time and effort on this forum.

My computer (Toshiba laptop) seems to have been infected with at least 3 instances of Mal/Generic-A, as defined by Sophos antivirus. Sophos will not allow me to delete or move these files. I tried viewing my hidden files then using Autoruns to locate the infected files, but I couldn't find them even then. I'm getting popups and annoying music/advertisements running in the background, which I can temporarily stop by ending some processes in Task Manager. I attempted to download ComboFix so that I could be prepared if you asked me to run it, but it won't install on my Vista machine--I keep getting a "this program has stopped working" message.

Below, please find the text of the DDS.txt report:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jess at 2:24:32.60 on Wed 07/08/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.527 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Cobian Backup 9\cbService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jess\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\jess\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.78,85.255.112.12
TCP: {2920D28E-BF28-4317-8E35-64B89AD730E7} = 85.255.112.78,85.255.112.12
TCP: {80C19AD3-6BD1-47A0-8571-215C4728777F} = 85.255.112.78,85.255.112.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jess\appdata\roaming\mozilla\firefox\profiles\ue6zemqa.default\
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jess\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-2-26 93192]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 20288]

=============== Created Last 30 ================

2009-07-08 02:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-08 01:33 <DIR> --d----- c:\programdata\Cobian
2009-07-08 01:33 <DIR> --d----- c:\progra~2\Cobian
2009-07-08 01:32 <DIR> --d----- c:\program files\Cobian Backup 9
2009-06-30 23:04 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-06-30 23:01 <DIR> --d--r-- c:\program files\Skype
2009-06-30 23:01 <DIR> --d----- c:\programdata\Skype
2009-06-28 11:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-28 11:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-06-28 11:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-06-28 11:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-06-28 11:07 11,264 a------- c:\windows\system32\icardres.dll
2009-06-28 11:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-06-28 11:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-06-28 11:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-06-27 22:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-06-27 22:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-06-27 22:14 41,984 a------- c:\windows\system32\netfxperf.dll
2009-06-27 22:14 158,720 a------- c:\windows\system32\mscorier.dll
2009-06-27 22:14 83,968 a------- c:\windows\system32\mscories.dll
2009-06-27 22:03 267,647,733 a------- c:\windows\MEMORY.DMP
2009-06-23 23:57 <DIR> --d----- c:\program files\VideoLAN
2009-06-19 00:13 <DIR> --d----- c:\program files\iPod
2009-06-19 00:13 <DIR> --d----- c:\program files\iTunes
2009-06-18 21:20 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-06-18 21:19 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-18 21:16 <DIR> --d----- c:\programdata\AOL Downloads
2009-06-13 21:03 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 21:03 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 21:03 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 21:03 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 21:03 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-09 16:23 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 16:23 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 16:23 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-09 16:23 827,904 a------- c:\windows\system32\wininet.dll
2009-06-09 16:22 389,632 a------- c:\windows\system32\html.iec
2009-06-09 16:22 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-09 16:22 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-06-09 16:22 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-07-07 23:07 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-07-07 23:07 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-07-07 21:17 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-07-07 21:17 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-06-28 13:02 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-06-28 13:02 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-06-19 00:05 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 00:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-19 00:05 86,016 a------- c:\windows\inf\infstor.dat
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-01-17 01:35 1,630 a------- c:\users\jess\appdata\roaming\wklnhst.dat
2008-07-07 03:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 2:25:15.00 ===============




And attached, you should find the Attach.txt report.

Thank you once again for your assistance with this problem. I can control it temporarily, but I'm not sure what these harmful files can or will do to my computer and I appreciate any help you can offer. Please let me know if you need any other information.

Best,
jlcardinal

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 10 July 2009 - 12:42 PM

Hello jlcardinal,

I attempted to download ComboFix so that I could be prepared if you asked me to run it, but it won't install on my Vista machine--I keep getting a "this program has stopped working" message.


Combofix in NOT a toy. You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.

***************


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 13
    Java 6 Update 3
    Java 6 Update 7
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
***************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 10 July 2009 - 05:58 PM

Hello SifuMike,

I did not successfully install or run ComboFix and I have removed the install file from my computer.

I have updated Java.

Here are the results of the Security Check:

Results of screen317's Security Check version 0.98.4
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
SophosAnti-Virus
Norton360
ECHO is off.
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Norton360 ccSvcHst.exe is disabled!
Windows Defender MSASCui.exe
Windows Defender MsMpEng.exe is disabled!
Sophos Sophos Anti-Virus SavService.exe
Sophos Sophos Anti-Virus SAVAdminService.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 22 seconds.
`````````End of Log```````````


-------------------------------------------------------------------


Unfortunately, when I installed and tried to run Malwarebytes' Anti-Malware, I got the following message:
"Malwarebytes' Anti-Malware has stopped working.
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

This is the same message I got when I first attempted to install ComboFix and also another anti-spyware program after the incident.

-------------------------------------------------------------------

I ran the DDS program again anyway. Here's the DDS.txt log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jess at 18:53:28.79 on Fri 07/10/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.912 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\notepad.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Users\Jess\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\jess\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: NameServer = 85.255.112.78,85.255.112.12
TCP: {2920D28E-BF28-4317-8E35-64B89AD730E7} = 85.255.112.78,85.255.112.12
TCP: {80C19AD3-6BD1-47A0-8571-215C4728777F} = 85.255.112.78,85.255.112.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jess\appdata\roaming\mozilla\firefox\profiles\ue6zemqa.default\
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jess\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-2-26 93192]
R2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [2004-4-23 173568]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-6 24652]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 20288]

=============== Created Last 30 ================

2009-07-10 18:47 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 18:47 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-10 18:47 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-10 18:47 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-10 18:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 02:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-08 01:33 <DIR> --d----- c:\programdata\Cobian
2009-07-08 01:33 <DIR> --d----- c:\progra~2\Cobian
2009-07-08 01:32 <DIR> --d----- c:\program files\Cobian Backup 9
2009-06-30 23:04 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-06-30 23:01 <DIR> --d--r-- c:\program files\Skype
2009-06-30 23:01 <DIR> --d----- c:\programdata\Skype
2009-06-28 11:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-28 11:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-06-28 11:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-06-28 11:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-06-28 11:07 11,264 a------- c:\windows\system32\icardres.dll
2009-06-28 11:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-06-28 11:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-06-28 11:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-06-27 22:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-06-27 22:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-06-27 22:14 41,984 a------- c:\windows\system32\netfxperf.dll
2009-06-27 22:14 158,720 a------- c:\windows\system32\mscorier.dll
2009-06-27 22:14 83,968 a------- c:\windows\system32\mscories.dll
2009-06-27 22:03 267,647,733 a------- c:\windows\MEMORY.DMP
2009-06-23 23:57 <DIR> --d----- c:\program files\VideoLAN
2009-06-19 00:13 <DIR> --d----- c:\program files\iPod
2009-06-19 00:13 <DIR> --d----- c:\program files\iTunes
2009-06-18 21:20 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-06-18 21:19 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-18 21:16 <DIR> --d----- c:\programdata\AOL Downloads
2009-06-13 21:03 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 21:03 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 21:03 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 21:03 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 21:03 80,896 a------- c:\windows\system32\MSNP.ax

==================== Find3M ====================

2009-07-10 18:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-07 23:07 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-07-07 23:07 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-07-07 21:17 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-07-07 21:17 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-06-28 13:02 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-06-28 13:02 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-06-19 00:05 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 00:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-19 00:05 86,016 a------- c:\windows\inf\infstor.dat
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-17 01:35 1,630 a------- c:\users\jess\appdata\roaming\wklnhst.dat
2008-07-07 03:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:54:02.56 ===============


-------------------------------------------------------------------

And the new Attach.txt file is again attached.

Thank you so much for your help thus far. Please let me know what else I can do.

Best,
JLC

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 10 July 2009 - 08:14 PM

Hi,

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
Sophos Anti-Virus or Norton360 Antivirus

***************



If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool2.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool3.exe, double click newtool3.exe to proceed in running a quick scan.

Edited by SifuMike, 10 July 2009 - 08:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 10 July 2009 - 09:55 PM

Hello again,

Wow, renaming worked! I ran Malwarebytes' once, deleted a bunch of files, and it told me to reboot. Here's the first log, pre-reboot:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

7/10/2009 9:51:03 PM
mbam-log-2009-07-10 (21-51-03).txt

Scan type: Quick Scan
Objects scanned: 85756
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 12
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{80c19ad3-6bd1-47a0-8571-215c4728777f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{80c19ad3-6bd1-47a0-8571-215c4728777f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2920d28e-bf28-4317-8e35-64b89ad730e7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{80c19ad3-6bd1-47a0-8571-215c4728777f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.78,85.255.112.12 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

And the second log, after I rebooted and ran a second scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

7/10/2009 10:08:44 PM
mbam-log-2009-07-10 (22-08-44).txt

Scan type: Quick Scan
Objects scanned: 85085
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

The Trojan.Agent won't seem to leave no matter how many times I reboot, and Sophos is somehow still registering the 3 Mal/Generic-A viruses in Quarantine.

Here's the DDS.txt log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jess at 22:48:11.88 on Fri 07/10/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.904 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ccxgui\ccXservice.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Malwarebytes' Anti-Malware\newtool3.exe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Users\Jess\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\users\jess\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\users\jess\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\jess\appdata\roaming\mozilla\firefox\profiles\ue6zemqa.default\
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jess\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2009-2-26 93192]
R2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [2004-4-23 173568]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-6 24652]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 20288]

=============== Created Last 30 ================

2009-07-10 21:35 <DIR> --d----- c:\users\jess\appdata\roaming\Malwarebytes
2009-07-10 21:33 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 21:33 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-10 21:33 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-10 21:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 21:33 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-08 02:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-08 01:33 <DIR> --d----- c:\programdata\Cobian
2009-07-08 01:33 <DIR> --d----- c:\progra~2\Cobian
2009-07-08 01:32 <DIR> --d----- c:\program files\Cobian Backup 9
2009-06-30 23:04 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-06-30 23:01 <DIR> --d--r-- c:\program files\Skype
2009-06-30 23:01 <DIR> --d----- c:\programdata\Skype
2009-06-28 11:07 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-28 11:07 97,800 a------- c:\windows\system32\infocardapi.dll
2009-06-28 11:07 622,080 a------- c:\windows\system32\icardagt.exe
2009-06-28 11:07 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-06-28 11:07 11,264 a------- c:\windows\system32\icardres.dll
2009-06-28 11:07 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-06-28 11:07 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-06-28 11:07 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-06-27 22:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-06-27 22:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-06-27 22:14 41,984 a------- c:\windows\system32\netfxperf.dll
2009-06-27 22:14 158,720 a------- c:\windows\system32\mscorier.dll
2009-06-27 22:14 83,968 a------- c:\windows\system32\mscories.dll
2009-06-27 22:03 267,647,733 a------- c:\windows\MEMORY.DMP
2009-06-23 23:57 <DIR> --d----- c:\program files\VideoLAN
2009-06-19 00:13 <DIR> --d----- c:\program files\iPod
2009-06-19 00:13 <DIR> --d----- c:\program files\iTunes
2009-06-18 21:20 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-06-18 21:19 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-18 21:16 <DIR> --d----- c:\programdata\AOL Downloads
2009-06-13 21:03 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-13 21:03 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-13 21:03 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-13 21:03 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-13 21:03 80,896 a------- c:\windows\system32\MSNP.ax

==================== Find3M ====================

2009-07-10 18:39 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-07 23:07 20 ----h--- c:\programdata\PKP_DLdu.DAT
2009-07-07 23:07 20 ----h--- c:\progra~2\PKP_DLdu.DAT
2009-07-07 21:17 20 ----h--- c:\programdata\PKP_DLdw.DAT
2009-07-07 21:17 20 ----h--- c:\progra~2\PKP_DLdw.DAT
2009-06-28 13:02 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-06-28 13:02 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-06-19 00:05 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 00:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-19 00:05 86,016 a------- c:\windows\inf\infstor.dat
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-17 01:35 1,630 a------- c:\users\jess\appdata\roaming\wklnhst.dat
2008-07-07 03:11 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:48:46.10 ===============

And the Attach.txt log is attached.

Thank you, once again.

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 10 July 2009 - 10:07 PM

Hi jlcardinal,

The Trojan.Agent won't seem to leave no matter how many times I reboot, and Sophos is somehow still registering the 3 Mal/Generic-A viruses in Quarantine.


Anything is quarantine folder will not hurt you. It was put there my your Sophos antivirus.
You can delete the Quarantined files if you wish.



Database version: 2297 is an old database. The latest is Database 2405
Please update Malwarebytes, run it again and post its log.



Please do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.
Please post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 10 July 2009 - 11:50 PM

Hi SifuMike,

I tried to install HijackThis twice, and my computer blue screened both times.

I can't seem to delete the items from Quarantine--they either say "Manual delete required" (except I can't find the files to manually delete them) or the delete fails. I get the "Mal/Generic-A detected" notification popup every time I start my browser.

I updated Malwarebytes' and ran a scan:

Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 6.0.6001 Service Pack 1

7/11/2009 12:48:50 AM
mbam-log-2009-07-11 (00-48-50).txt

Scan type: Quick Scan
Objects scanned: 88298
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

I rebooted, scanned again, and got the exact same message.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 11 July 2009 - 12:06 AM

Hi jlcardinal

can't seem to delete the items from Quarantine--they either say "Manual delete required" (except I can't find the files to manually delete them) or the delete fails. I get the "Mal/Generic-A detected" notification popup every time I start my browser

.


Dont delete the items Quarantine. They will not do you any harm there so leave them for now. When we are done then you can delete them.

Malware sometimes block Hijackthis from running.
Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file.
Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log.

Edited by SifuMike, 11 July 2009 - 12:07 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 11 July 2009 - 12:19 AM

Hi,

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:45 AM, on 7/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\newtool3.exe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe.exe
C:\Windows\system32\igfxsrvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newtool3.exe.exe" /runcleanupscript
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11151 bytes

Thanks!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 11 July 2009 - 12:32 AM

Hi jlcardinal,

I can see you have a nasty rootkit so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Sophos Anti-Virus and Windows Defender before running ComboFix, as they will prevent it from running.

Turning protection on or off for the computer
CAUTION:
If you turn protection off, Sophos Anti-Virus does not scan files that you access for threats.
Note: You need to be a member of the SophosAdministrator group to turn protection on or off for a computer.

On the Configure menu, click On-access scanning.
In the On-access scan settings for this computer dialog box, click the Scanning tab.
To turn on-access scanning on for the computer, select Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns blue.


To turn on-access scanning off for the computer, deselect Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns gray.

In the Sophos Anti-Virus window, the Status menu is updated.

Note: Sophos Anti-Virus retains the settings you make here, even after you restart the computer. If you have turned on-access scanning off, it remains inactive until you turn it on again.

Note: If you turn on-access protection off, you can still run on-demand scans of your computer.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 11 July 2009 - 10:33 PM

I apologize for taking awhile to respond. My father broke his ankle this morning.

Here is my ComboFix log. I renamed the .exe file before running it because I remembered the earlier problems I had getting programs like this to run.

ComboFix 09-07-09.08 - Jess 07/11/2009 23:18.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.872 [GMT -4:00]
Running from: c:\users\Jess\Desktop\barkbark.exe.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2579673529-246469682-3012347828-500
c:\$recycle.bin\S-1-5-21-354487639-2530530519-2641530526-500
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\MSIVXxfpcsmtgvqteqriraeutgqceytefcwdm.sys
c:\windows\system32\MSIVXcskwvewbsmuixydxtpvjnrqwjqwiuxrv.dll
c:\windows\system32\MSIVXviqrqlprjmpnqsmxxwbbnpdoocqehtpc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-12 03:25 . 2009-07-12 03:25 -------- d-----w- c:\users\Jess\AppData\Local\temp
2009-07-11 04:26 . 2009-07-11 04:26 -------- d-----w- c:\program files\Trend Micro
2009-07-11 01:35 . 2009-07-11 01:35 -------- d-----w- c:\users\Jess\AppData\Roaming\Malwarebytes
2009-07-11 01:33 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 01:33 . 2009-07-11 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 01:33 . 2009-07-11 01:33 -------- d-----w- c:\programdata\Malwarebytes
2009-07-11 01:33 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 23:53 . 2009-07-09 01:37 680 ----a-w- c:\users\Jess\AppData\Local\d3d9caps.dat
2009-07-08 06:02 . 2009-07-08 06:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-08 05:33 . 2009-07-08 05:33 -------- d-----w- c:\programdata\Cobian
2009-07-08 05:32 . 2009-07-10 22:31 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-08 01:31 . 2009-07-08 01:31 -------- d-----w- c:\windows\Sun
2009-07-01 13:46 . 2009-07-01 13:46 69632 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\ispsheet.dll
2009-07-01 13:46 . 2009-07-01 13:46 499712 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\auadapter.dll
2009-07-01 13:46 . 2009-07-01 13:46 245760 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\almon.exe
2009-07-01 13:46 . 2009-07-01 13:46 184320 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\eecustomactions.dll
2009-07-01 13:46 . 2009-07-01 13:46 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\channelupdater.dll
2009-07-01 13:46 . 2009-07-01 13:46 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alsvc.exe
2009-07-01 13:46 . 2009-07-01 13:46 663552 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alupdate.exe
2009-07-01 13:46 . 2009-07-01 13:46 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\instlmgr.dll
2009-07-01 13:46 . 2009-07-01 13:46 208896 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\setup.dll
2009-07-01 13:46 . 2009-07-01 13:46 253952 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\sauconfigdll.dll
2009-07-01 03:04 . 2009-07-01 03:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-01 03:04 . 2009-07-09 22:26 -------- d-----w- c:\users\Jess\AppData\Roaming\skypePM
2009-07-01 03:02 . 2009-07-09 22:54 -------- d-----w- c:\users\Jess\AppData\Roaming\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----w- c:\program files\Common Files\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----r- c:\program files\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----w- c:\programdata\Skype
2009-06-28 23:55 . 2009-06-28 23:55 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-06-28 23:54 . 2009-06-28 23:54 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-28 23:54 . 2009-06-28 23:54 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-06-28 17:01 . 2009-06-28 17:01 80936 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\tempsavxp\program files\sophos\sophos anti-virus\savadminservice.exe
2009-06-28 17:01 . 2009-06-28 17:01 80936 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\savadminservice.exe
2009-06-28 17:01 . 2009-06-28 17:01 675840 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\tempsavxp\program files\sophos\sophos anti-virus\module retargetable folder\savadapter.dll
2009-06-28 17:01 . 2009-06-28 17:01 675840 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savadapter.dll
2009-06-28 17:01 . 2009-06-28 17:01 1189888 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\tempsavxp\program files\sophos\sophos anti-virus\savshellextia64.dll
2009-06-28 17:01 . 2009-06-28 17:01 1189888 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\savshellextia64.dll
2009-06-28 17:01 . 2009-06-28 17:01 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\tempsavxp\program files\sophos\sophos anti-virus\module retargetable folder\componentmanager.dll
2009-06-28 17:01 . 2009-06-28 17:01 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\componentmanager.dll
2009-06-28 15:07 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-28 15:07 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-28 15:07 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-28 15:07 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-28 15:07 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-28 15:07 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-28 15:07 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-28 02:14 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-28 02:14 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-28 02:14 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-28 02:14 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-28 02:14 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-24 03:58 . 2009-06-24 04:26 -------- d-----w- c:\users\Jess\AppData\Roaming\vlc
2009-06-24 03:57 . 2009-06-24 03:57 -------- d-----w- c:\program files\VideoLAN
2009-06-19 04:13 . 2009-06-19 04:13 -------- d-----w- c:\program files\iPod
2009-06-19 04:13 . 2009-06-19 04:13 -------- d-----w- c:\program files\iTunes
2009-06-19 04:10 . 2009-06-19 04:10 -------- d-----w- c:\program files\QuickTime
2009-06-19 03:55 . 2009-06-19 03:55 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 01:20 . 2009-06-19 01:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-06-19 01:19 . 2009-06-19 01:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-14 01:03 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 01:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 01:23 . 2008-08-30 02:44 -------- d-----w- c:\users\Jess\AppData\Roaming\uTorrent
2009-07-11 01:23 . 2008-02-19 03:14 -------- d-----w- c:\programdata\Symantec
2009-07-11 01:23 . 2008-02-19 03:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-10 22:39 . 2009-02-01 00:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-10 22:30 . 2008-02-19 03:05 -------- d-----w- c:\program files\Java
2009-07-08 03:07 . 2009-01-19 15:34 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-07-08 01:17 . 2009-01-19 15:37 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2009-06-29 01:05 . 2009-03-01 22:46 1 ----a-w- c:\users\Jess\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-22 03:34 . 2009-02-12 06:20 -------- d-----w- c:\users\Jess\AppData\Roaming\Apple Computer
2009-06-22 03:24 . 2009-02-12 06:14 -------- d-----w- c:\programdata\Apple
2009-06-19 04:13 . 2009-02-12 06:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 01:21 . 2008-07-13 01:24 -------- d-----w- c:\program files\DivX
2009-06-19 01:19 . 2008-07-07 03:33 -------- d-----w- c:\program files\AIM6
2009-06-19 01:18 . 2008-07-07 03:34 -------- d-----w- c:\programdata\Viewpoint
2009-05-13 07:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-07 01:09 . 2009-05-07 01:10 38208 ----a-w- c:\users\Jess\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-24 16:05 . 2009-06-09 20:23 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-09 20:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-09 20:22 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-09 20:23 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-09 20:23 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-09 20:23 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-05 19:30 . 2008-07-05 19:30 13 --sh--w- c:\windows\System32\drivers\fbd.sys
2008-07-05 19:30 . 2008-07-05 19:30 4 --sh--w- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Google Update"="c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-19 1862144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]

c:\users\Jess\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{34315E11-F844-4D6C-96B2-25C164E2D01D}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{98C14FDC-4CBF-48E4-9F78-F266369773C5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{77F6B9AA-3E23-48DD-9953-D8329C84D41D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{5A8BA326-E2BF-464D-AEC7-26E47E94A43C}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{267625BF-148E-4B9A-A33B-93693C250CFA}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{F08F82A9-1972-4B49-8E6A-E683DE993F61}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{3F56FD5A-9B93-4E1B-8BB8-596135A0ABDC}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{9C076EA5-6F79-4A91-8AF8-ADD1C9556878}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{D56961D5-7B1B-4388-8B14-EAA9ED3C61C3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AE075939-F684-4723-9359-B160F2CFAF9E}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1078FA9F-DCA1-4150-BE98-E5712BDA21E9}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{883C6EA5-82CE-469A-8B62-E4C7FC4AF5F8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E553EE12-01BC-40F0-AE7B-0531D1165F79}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{98391201-1B5E-49F4-8657-875CE27D36CD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{92C816D2-87C1-48AE-A415-CC7E18349762}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C20EA737-A439-4B91-9AA8-D9DBA7DF8220}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D4FFD0B0-E173-4809-AE1C-483656BF6A9D}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [2/26/2009 6:37 PM 93192]
R2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [4/23/2004 3:54 PM 173568]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [12/25/2007 5:07 PM 40960]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/28/2009 5:50 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 5:59 AM 98304]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 8:03 PM 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/6/2008 11:34 PM 24652]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [9/30/2008 5:59 AM 20288]
.
Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-354487639-2530530519-2641530526-1000Core.job
- c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 03:09]

2009-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-354487639-2530530519-2641530526-1000UA.job
- c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 03:09]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-HWSetup - \HWSetup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\users\Jess\AppData\Roaming\Mozilla\Firefox\Profiles\ue6zemqa.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Jess\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????d??l/?????;? ;?X ;?? ;??

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-07-12 23:27
ComboFix-quarantined-files.txt 2009-07-12 03:26

Pre-Run: 91,590,246,400 bytes free
Post-Run: 92,491,370,496 bytes free

259 --- E O F --- 2009-07-11 03:32


Please let me know if there is anything else I should do. Once again, thank you.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 12 July 2009 - 11:54 AM

Hi jlcardinal,


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint




I renamed the .exe file before running it because I remembered the earlier problems I had getting programs like this to run

.

I wish you had not done that. :thumbup2: Please follow the instuctions exactly and do not rename programs yourself.

You need to disable your Sophos Anti-Virus and Windows Defender before running ComboFix, as they will prevent it from running.

Turning protection on or off for the computer
CAUTION:
If you turn protection off, Sophos Anti-Virus does not scan files that you access for threats.
Note: You need to be a member of the SophosAdministrator group to turn protection on or off for a computer.

On the Configure menu, click On-access scanning.
In the On-access scan settings for this computer dialog box, click the Scanning tab.
To turn on-access scanning on for the computer, select Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns blue.


To turn on-access scanning off for the computer, deselect Enable on-access scanning for this computer, and click OK. The Sophos Anti-Virus system tray icon turns gray.


In the Sophos Anti-Virus window, the Status menu is updated.

Note: Sophos Anti-Virus retains the settings you make here, even after you restart the computer. If you have turned on-access scanning off, it remains inactive until you turn it on again.

Note: If you turn on-access protection off, you can still run on-demand scans of your computer.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 12 July 2009 - 11:55 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 12 July 2009 - 12:48 PM

Hi SifuMike,

I was able to uninstall Viewpoint but I get an "access denied" message when I try to delete the folder from Program Files.

Here is the new ComboFix log:

ComboFix 09-07-09.08 - Jess 07/12/2009 13:37.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1027 [GMT -4:00]
Running from: c:\users\Jess\Desktop\ComboFix.exe
Command switches used :: c:\users\Jess\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))
.

2009-07-12 17:40 . 2009-07-12 17:40 -------- d-----w- c:\users\Jess\AppData\Local\temp
2009-07-12 03:10 . 2009-07-12 03:27 -------- d-s---w- C:\barkbark.exe
2009-07-11 04:26 . 2009-07-11 04:26 -------- d-----w- c:\program files\Trend Micro
2009-07-11 01:35 . 2009-07-11 01:35 -------- d-----w- c:\users\Jess\AppData\Roaming\Malwarebytes
2009-07-11 01:33 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-11 01:33 . 2009-07-11 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-11 01:33 . 2009-07-11 01:33 -------- d-----w- c:\programdata\Malwarebytes
2009-07-11 01:33 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-08 23:53 . 2009-07-09 01:37 680 ----a-w- c:\users\Jess\AppData\Local\d3d9caps.dat
2009-07-08 06:02 . 2009-07-08 06:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-08 05:33 . 2009-07-08 05:33 -------- d-----w- c:\programdata\Cobian
2009-07-08 05:32 . 2009-07-10 22:31 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-08 01:31 . 2009-07-08 01:31 -------- d-----w- c:\windows\Sun
2009-07-01 13:46 . 2009-07-01 13:46 69632 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\ispsheet.dll
2009-07-01 13:46 . 2009-07-01 13:46 499712 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\auadapter.dll
2009-07-01 13:46 . 2009-07-01 13:46 245760 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\almon.exe
2009-07-01 13:46 . 2009-07-01 13:46 184320 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\eecustomactions.dll
2009-07-01 13:46 . 2009-07-01 13:46 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\channelupdater.dll
2009-07-01 13:46 . 2009-07-01 13:46 172032 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alsvc.exe
2009-07-01 13:46 . 2009-07-01 13:46 663552 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\alupdate.exe
2009-07-01 13:46 . 2009-07-01 13:46 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\instlmgr.dll
2009-07-01 13:46 . 2009-07-01 13:46 208896 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\setup.dll
2009-07-01 13:46 . 2009-07-01 13:46 253952 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\sau\program files\sophos\autoupdate\sauconfigdll.dll
2009-07-01 13:45 . 2009-07-01 13:45 548864 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\savres.dll
2009-07-01 13:45 . 2009-07-01 13:45 287480 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\wsc_ia64\wscclient.exe
2009-07-01 13:45 . 2009-07-01 13:45 128056 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\wsc_win32\wscclient.exe
2009-07-01 13:45 . 2009-07-01 13:45 299008 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\icmanagement.dll
2009-07-01 13:45 . 2009-07-01 13:45 195072 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\sophos_detoured.dll
2009-07-01 13:45 . 2009-07-01 13:45 164864 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\sophos_detoured_x64.dll
2009-07-01 13:45 . 2009-07-01 13:45 149240 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\wsc_x64\wscclient.exe
2009-07-01 13:45 . 2009-07-01 13:45 118849 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\osdp.dll
2009-07-01 13:45 . 2009-07-01 13:45 483393 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\savi.dll
2009-07-01 13:45 . 2009-07-01 13:45 1740865 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\veex.dll
2009-07-01 13:45 . 2009-07-01 13:45 307200 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\sophos_detoured_ia64.dll
2009-07-01 13:45 . 2009-07-01 13:45 466944 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\virusdetection.dll
2009-07-01 03:04 . 2009-07-01 03:04 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-01 03:04 . 2009-07-09 22:26 -------- d-----w- c:\users\Jess\AppData\Roaming\skypePM
2009-07-01 03:02 . 2009-07-09 22:54 -------- d-----w- c:\users\Jess\AppData\Roaming\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----w- c:\program files\Common Files\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----r- c:\program files\Skype
2009-07-01 03:01 . 2009-07-01 03:01 -------- d-----w- c:\programdata\Skype
2009-06-28 23:55 . 2009-06-28 23:55 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-06-28 23:54 . 2009-06-28 23:54 746744 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-28 23:54 . 2009-06-28 23:54 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-06-28 17:01 . 2009-06-28 17:01 80936 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\savadminservice.exe
2009-06-28 17:01 . 2009-06-28 17:01 675840 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\savadapter.dll
2009-06-28 17:01 . 2009-06-28 17:01 1189888 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\savshellextia64.dll
2009-06-28 17:01 . 2009-06-28 17:01 90112 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\componentmanager.dll
2009-06-28 15:07 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-06-28 15:07 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-06-28 15:07 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2009-06-28 15:07 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-06-28 15:07 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-06-28 15:07 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-06-28 15:07 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-06-28 02:14 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-06-28 02:14 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-06-28 02:14 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-06-28 02:14 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-06-28 02:14 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2009-06-24 03:58 . 2009-06-24 04:26 -------- d-----w- c:\users\Jess\AppData\Roaming\vlc
2009-06-24 03:57 . 2009-06-24 03:57 -------- d-----w- c:\program files\VideoLAN
2009-06-19 04:13 . 2009-06-19 04:13 -------- d-----w- c:\program files\iPod
2009-06-19 04:13 . 2009-06-19 04:13 -------- d-----w- c:\program files\iTunes
2009-06-19 04:10 . 2009-06-19 04:10 -------- d-----w- c:\program files\QuickTime
2009-06-19 03:55 . 2009-06-19 03:55 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-19 01:20 . 2009-06-19 01:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-06-19 01:19 . 2009-06-19 01:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-14 01:03 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-14 01:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 17:26 . 2008-07-07 03:34 -------- d-----w- c:\program files\Viewpoint
2009-07-11 01:23 . 2008-08-30 02:44 -------- d-----w- c:\users\Jess\AppData\Roaming\uTorrent
2009-07-11 01:23 . 2008-02-19 03:14 -------- d-----w- c:\programdata\Symantec
2009-07-11 01:23 . 2008-02-19 03:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-10 22:39 . 2009-02-01 00:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-10 22:30 . 2008-02-19 03:05 -------- d-----w- c:\program files\Java
2009-07-08 03:07 . 2009-01-19 15:34 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-07-08 01:17 . 2009-01-19 15:37 20 ---h--w- c:\programdata\PKP_DLdw.DAT
2009-06-29 01:05 . 2009-03-01 22:46 1 ----a-w- c:\users\Jess\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-22 03:34 . 2009-02-12 06:20 -------- d-----w- c:\users\Jess\AppData\Roaming\Apple Computer
2009-06-22 03:24 . 2009-02-12 06:14 -------- d-----w- c:\programdata\Apple
2009-06-19 04:13 . 2009-02-12 06:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 01:21 . 2008-07-13 01:24 -------- d-----w- c:\program files\DivX
2009-06-19 01:19 . 2008-07-07 03:33 -------- d-----w- c:\program files\AIM6
2009-06-19 01:18 . 2008-07-07 03:34 -------- d-----w- c:\programdata\Viewpoint
2009-05-07 01:09 . 2009-05-07 01:10 38208 ----a-w- c:\users\Jess\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-24 16:05 . 2009-06-09 20:23 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-09 20:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-09 20:22 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-09 20:23 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-09 20:23 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-09 20:23 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-05 19:30 . 2008-07-05 19:30 13 --sh--w- c:\windows\System32\drivers\fbd.sys
2008-07-05 19:30 . 2008-07-05 19:30 4 --sh--w- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-12_03.25.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-22 16:14 . 2009-07-12 17:36 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-22 16:14 . 2009-07-11 04:40 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-22 16:14 . 2009-07-11 04:40 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-22 16:14 . 2009-07-12 17:36 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-22 16:14 . 2009-07-11 04:40 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-22 16:14 . 2009-07-12 17:36 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:33 . 2009-07-12 03:25 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-07-11 04:47 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-07-11 04:47 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-07-12 03:25 101350 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-17 4347120]
"Google Update"="c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-12 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-19 1862144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-10 148888]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]

c:\users\Jess\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{34315E11-F844-4D6C-96B2-25C164E2D01D}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{98C14FDC-4CBF-48E4-9F78-F266369773C5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{77F6B9AA-3E23-48DD-9953-D8329C84D41D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{5A8BA326-E2BF-464D-AEC7-26E47E94A43C}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{267625BF-148E-4B9A-A33B-93693C250CFA}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{F08F82A9-1972-4B49-8E6A-E683DE993F61}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{3F56FD5A-9B93-4E1B-8BB8-596135A0ABDC}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{9C076EA5-6F79-4A91-8AF8-ADD1C9556878}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{D56961D5-7B1B-4388-8B14-EAA9ED3C61C3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AE075939-F684-4723-9359-B160F2CFAF9E}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{1078FA9F-DCA1-4150-BE98-E5712BDA21E9}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{883C6EA5-82CE-469A-8B62-E4C7FC4AF5F8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{E553EE12-01BC-40F0-AE7B-0531D1165F79}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{98391201-1B5E-49F4-8657-875CE27D36CD}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{92C816D2-87C1-48AE-A415-CC7E18349762}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C20EA737-A439-4B91-9AA8-D9DBA7DF8220}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D4FFD0B0-E173-4809-AE1C-483656BF6A9D}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [2/26/2009 6:37 PM 93192]
R2 ccXgui;ccXgui;c:\program files\ccxgui\ccXservice.exe [4/23/2004 3:54 PM 173568]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [12/25/2007 5:07 PM 40960]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/28/2009 5:50 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 5:59 AM 98304]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 8:03 PM 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/6/2008 11:34 PM 24652]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [9/30/2008 5:59 AM 20288]
.
Contents of the 'Scheduled Tasks' folder

2009-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-354487639-2530530519-2641530526-1000Core.job
- c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 03:09]

2009-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-354487639-2530530519-2641530526-1000UA.job
- c:\users\Jess\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-13 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\users\Jess\AppData\Roaming\Mozilla\Firefox\Profiles\ue6zemqa.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Jess\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 13:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????d??l/?????;? ;?X ;?? ;??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-07-12 13:42
ComboFix-quarantined-files.txt 2009-07-12 17:42
ComboFix2.txt 2009-07-12 03:27

Pre-Run: 92,578,328,576 bytes free
Post-Run: 92,034,744,320 bytes free

266 --- E O F --- 2009-07-11 03:32



It didn't seem to delete anything this time around like it did last time.



Thank you.

-JLC

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:16 AM

Posted 12 July 2009 - 03:07 PM

Hi jlcardinal,

Looks good. :thumbup2:

Lets check for stragglers.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 jlcardinal

jlcardinal
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 12 July 2009 - 07:28 PM

That scan did take awhile!

Seems I may indeed have some stragglers...

Here's the Kaspersky scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 12, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, July 13, 2009 00:22:54
Records in database: 2463981
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 171491
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:55:50


File name / Threat name / Threats count
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\170[1].pdf.000 Infected: Exploit.JS.Pdfka.nl 1
C:\Qoobox\Quarantine\C\Windows\System32\MSIVXcskwvewbsmuixydxtpvjnrqwjqwiuxrv.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Qoobox\Quarantine\C\Windows\System32\MSIVXviqrqlprjmpnqsmxxwbbnpdoocqehtpc.dll.vir Infected: Packed.Win32.Tdss.w 1
C:\Users\All Users\Sophos\Sophos Anti-Virus\INFECTED\170[1].pdf.000 Infected: Exploit.JS.Pdfka.nl 1

The selected area was scanned.


I really appreciate your assistance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users