Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan downloader win 32 renos . IO and IE has stopped working message


  • This topic is locked This topic is locked
20 replies to this topic

#1 bbehling

bbehling

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 19 July 2009 - 08:46 PM

Referred from: http://www.bleepingcomputer.com/forums/t/242767/trojan-downloader-win-32-renos-io-and-ie-has-stopped-working-message/ ~ OB

I get constant internet explorer has stopped working messages when i try to open it . I can use google although it seems to redirect to incorrect sites and goes into error quite often. I get" trojan downloader win 32/ renos IO" message from windows defender telling me to remove , which I do. I also get "html infected.webpage . gen " . I am running vista. I have run smitfraud fix scan and clean and then atf cleaner. i down loaded MBAM but when I hit run nothing happen. AS I go on in time my PC is becoming more unstable I recently started having problems when i restart , and going into continious loop and never restarting until i hit F8 i have to click on use last known good configuration to get it to boot corectly. below is the requested report and i also attached the requested report. I really appreciate your help.






DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 21:20:37.35 on Sun 07/19/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1433 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SmitFraudFixTool *disabled* (Updated) {59656E7B-3D0B-4E18-8096-DDA0333202B6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Common Files\aol\1209423966\ee\aolsoftware.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Users\Owner\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Cobian Backup 9\cbService.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\Desktop\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: MRI_DISABLED - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [TP CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HostManager] c:\program files\common files\aol\1209423966\ee\AOLSoftware.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\5y0kz89l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com?src=toolbar
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\5y0kz89l.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-19 20:56 --d----- c:\programdata\Cobian
2009-07-19 20:56 --d----- c:\progra~2\Cobian
2009-07-19 20:55 --d----- c:\program files\Cobian Backup 9
2009-07-19 20:27 --dsh--- C:\found.000
2009-07-19 19:39 --d----- c:\program files\zztoy.exe
2009-07-19 19:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 19:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:36 --d----- c:\programdata\Malwarebytes
2009-07-19 19:36 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 19:36 --d----- c:\progra~2\Malwarebytes
2009-07-19 18:26 691 a------- c:\users\owner\appdata\roaming\GetValue.vbs
2009-07-19 18:26 35 a------- c:\users\owner\appdata\roaming\SetValue.bat
2009-07-19 15:18 5,008 a------- c:\windows\system32\tmp.reg
2009-07-19 14:55 --d----- c:\windows\pss
2009-07-19 11:57 --d----- c:\users\owner\appdata\roaming\SmitFraudFixTool
2009-07-15 00:59 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 00:59 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 00:59 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 00:59 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-11 10:16 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-11 10:16 --d----- c:\programdata\Avira
2009-07-11 10:16 --d----- c:\program files\Avira
2009-07-11 10:16 --d----- c:\progra~2\Avira
2009-06-30 15:09 --d----- c:\programdata\Yahoo! Companion
2009-06-27 17:46 --d----- c:\users\owner\appdata\roaming\AVS4YOU
2009-06-27 17:46 --d----- c:\programdata\AVS4YOU
2009-06-27 17:46 --d----- c:\progra~2\AVS4YOU
2009-06-27 17:46 --d----- c:\program files\common files\AVSMedia
2009-06-27 17:46 --d----- c:\program files\AVS4YOU
2009-06-20 13:19 --d----- c:\users\owner\appdata\roaming\IObit
2009-06-20 13:19 --d----- c:\program files\Yahoo!
2009-06-20 13:19 --d----- c:\program files\IObit
2009-06-20 13:13 a-d----- c:\programdata\TEMP

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-30 08:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 08:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-27 11:51 60,744 a------- c:\users\owner\g2mdlhlpx.exe
2008-11-20 09:29 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-20 09:29 51,200 a------- c:\windows\inf\infpub.dat
2008-10-05 10:25 86,016 a------- c:\windows\inf\infstor.dat
2008-10-05 10:25 87,608 a------- c:\users\owner\appdata\roaming\inst.exe
2008-10-05 10:25 47,360 a------- c:\users\owner\appdata\roaming\pcouffin.sys
2008-06-17 10:41 100,200 a------- c:\users\owner\DimdimSetup.exe
2008-06-12 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-04 14:30 60,968 a------- c:\users\owner\GoToAssistDownloadHelper.exe
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-27 11:57 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-12 19:48 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:21:38.74 ===============

Attached Files


Edited by Orange Blossom, 19 July 2009 - 08:51 PM.


BC AdBot (Login to Remove)

 


#2 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 July 2009 - 08:25 AM

I was finally able to run mbam and here is the log below. I still could not restart windows properly and had to once again open with the last known good configuration. I tried internet explorer and it still gives "internet explorer is not working message ". what should i try next?

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6001 Service Pack 1

7/20/2009 09:10:07
mbam-log-2009-07-20 (09-10-07).txt

Scan type: Quick Scan
Objects scanned: 79097
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\EF138E14611BA61409610A78A0285E8E (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0DB72C2C70E48F34A898781CD253EC04 (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4FC4B1A375C0D8941BC39DB8BB47D245 (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\630D493643B41934EB237345CEEF4E5B (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EA89927B602E18D4AA02A27FED4E0040 (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F2F26FF30CAEE3C4EAEDB812E4B27304 (Rogue.SmitFraudFixTool) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\microsoft\Windows\

#3 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 July 2009 - 10:31 AM

I thought since I ran MBAM after the running DDS I should rerun . Here is the DDS below and I also attached the current Attach file. Thanks very much

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 11:24:56.03 on Mon 07/20/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1939 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SmitFraudFixTool *disabled* (Updated) {59656E7B-3D0B-4E18-8096-DDA0333202B6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Common Files\aol\1209423966\ee\aolsoftware.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\p2phost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Users\Owner\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Owner\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\Documents\Downloads\dds (1).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: MRI_DISABLED - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [TP CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HostManager] c:\program files\common files\aol\1209423966\ee\AOLSoftware.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\5y0kz89l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com?src=toolbar
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\5y0kz89l.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-11 108289]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-27 31896]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-13 7168]
S2 gupdate1c9bad649ae864b;Google Update Service (gupdate1c9bad649ae864b);c:\program files\google\update\GoogleUpdate.exe [2009-4-11 133104]
S2 SmitFraudFixToolSrv;SmitFraudFixTool Scanning Engine;"c:\program files\smitfraudfixtool\smitfraudfixtool.srv.exe" --> c:\program files\smitfraudfixtool\SmitFraudFixTool.srv.exe [?]

=============== Created Last 30 ================

2009-07-20 08:34 <DIR> --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-07-19 20:56 <DIR> --d----- c:\programdata\Cobian
2009-07-19 20:56 <DIR> --d----- c:\progra~2\Cobian
2009-07-19 20:55 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-19 20:27 <DIR> --dsh--- C:\found.000
2009-07-19 19:39 <DIR> --d----- c:\program files\zztoy.exe
2009-07-19 19:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 19:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:36 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 19:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 19:36 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 18:26 691 a------- c:\users\owner\appdata\roaming\GetValue.vbs
2009-07-19 18:26 35 a------- c:\users\owner\appdata\roaming\SetValue.bat
2009-07-19 15:18 5,008 a------- c:\windows\system32\tmp.reg
2009-07-19 14:55 <DIR> --d----- c:\windows\pss
2009-07-15 00:59 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 00:59 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 00:59 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 00:59 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-11 10:16 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-11 10:16 <DIR> --d----- c:\programdata\Avira
2009-07-11 10:16 <DIR> --d----- c:\program files\Avira
2009-07-11 10:16 <DIR> --d----- c:\progra~2\Avira
2009-06-30 15:09 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-06-27 17:46 <DIR> --d----- c:\users\owner\appdata\roaming\AVS4YOU
2009-06-27 17:46 <DIR> --d----- c:\programdata\AVS4YOU
2009-06-27 17:46 <DIR> --d----- c:\progra~2\AVS4YOU
2009-06-27 17:46 <DIR> --d----- c:\program files\common files\AVSMedia
2009-06-27 17:46 <DIR> --d----- c:\program files\AVS4YOU
2009-06-20 13:19 <DIR> --d----- c:\users\owner\appdata\roaming\IObit
2009-06-20 13:19 <DIR> --d----- c:\program files\Yahoo!
2009-06-20 13:19 <DIR> --d----- c:\program files\IObit
2009-06-20 13:13 <DIR> a-d----- c:\programdata\TEMP

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-30 08:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 08:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-02-27 11:51 60,744 a------- c:\users\owner\g2mdlhlpx.exe
2008-11-20 09:29 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-20 09:29 51,200 a------- c:\windows\inf\infpub.dat
2008-10-05 10:25 86,016 a------- c:\windows\inf\infstor.dat
2008-10-05 10:25 87,608 a------- c:\users\owner\appdata\roaming\inst.exe
2008-10-05 10:25 47,360 a------- c:\users\owner\appdata\roaming\pcouffin.sys
2008-06-17 10:41 100,200 a------- c:\users\owner\DimdimSetup.exe
2008-06-12 03:08 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-04 14:30 60,968 a------- c:\users\owner\GoToAssistDownloadHelper.exe
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-27 11:57 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-12 19:48 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 11:25:23.54 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:09 PM

Posted 30 July 2009 - 04:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 31 July 2009 - 07:39 AM

Hello
Since my last post i brought my laptop to computer doctors. They ran a cleanup and then i was able to run internet explorer . The problem I got after that was I cant run a third party search on internet explorer or firefox. it will olnly bring up the first search subject website that it finds and wont display all searches found. I have google search installed for an add on but that will only work using the google toolbar and then most times I choose a website from the google search i get either an advertisemwent or a completely different website.sometimes if i go back and reclick on the desred website it will bring me to the correct website but not very often. My laptop also seems to have slowed down and i have to wait quite a while for certain pages to load. computer doctors said it would cost even more to fix my problem sbut i felt i had already spent enough and it should have come back working correctly. They told me load avast and maybe that would help but it didnt . Any help you could give me would be much appreciated



DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 8:23:50.72 on Fri 07/31/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.1852 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SmitFraudFixTool *disabled* (Updated) {59656E7B-3D0B-4E18-8096-DDA0333202B6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\TIMEWI~1\TDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\Documents\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.com/ig
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: MRI_DISABLED - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
mRun: [Cobian Backup 9 interface] "c:\program files\cobian backup 9\cbInterface.exe" -service
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\5y0kz89l.default\
FF - prefs.js: browser.search.defaulturl - www.google.com
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npxsciter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-28 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-28 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-7-28 51792]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-27 31896]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-13 7168]
S4 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]

=============== Created Last 30 ================

2009-07-30 12:00 149 a------- C:\Delme.bat
2009-07-30 11:55 <DIR> --d----- c:\program files\Timewise Desktop
2009-07-29 03:59 828,416 a------- c:\windows\system32\wininet.dll
2009-07-29 03:59 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-28 17:33 51,792 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-07-28 17:29 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-07-28 17:29 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-07-28 17:24 <DIR> --d----- c:\program files\AVG
2009-07-28 17:21 <DIR> --d----- c:\users\owner\appdata\roaming\AVG8
2009-07-28 13:23 4 a------- c:\windows\msoffice.ini
2009-07-23 18:30 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-07-23 17:22 <DIR> --d----- c:\users\owner\{0dabf14a-e6fe-4bf4-ab51-58aef53d946d}
2009-07-23 17:20 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-23 17:17 <DIR> --d----- c:\program files\Microsoft
2009-07-23 16:33 <DIR> --d----- c:\windows\system32\eu-ES
2009-07-23 16:33 <DIR> --d----- c:\windows\system32\ca-ES
2009-07-23 16:33 <DIR> --d----- c:\windows\system32\vi-VN
2009-07-23 16:19 <DIR> --d----- c:\windows\system32\EventProviders
2009-07-23 16:18 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-07-23 16:18 3,408,896 a------- c:\windows\system32\SLsvc.exe
2009-07-23 16:18 1,081,344 a------- c:\windows\system32\SLCExt.dll
2009-07-23 16:18 2,134,528 a------- c:\windows\system32\FunctionDiscoveryFolder.dll
2009-07-23 16:18 65,536 a------- c:\windows\system32\DevicePairingWizard.exe
2009-07-23 16:18 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-07-23 16:18 1,480,704 a------- c:\windows\system32\mssrch.dll
2009-07-23 16:18 684,032 a------- c:\windows\system32\drivers\spsys.sys
2009-07-23 16:16 2,225,664 a------- c:\windows\system32\netcenter.dll
2009-07-22 09:59 265,925,560 a------- c:\users\owner\{33E28130-4E1E-4676-835A-98395C3BC3BB}.zip
2009-07-21 17:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-20 08:34 <DIR> --d----- c:\users\owner\appdata\roaming\Malwarebytes
2009-07-19 20:56 <DIR> --d----- c:\programdata\Cobian
2009-07-19 20:56 <DIR> --d----- c:\progra~2\Cobian
2009-07-19 20:55 <DIR> --d----- c:\program files\Cobian Backup 9
2009-07-19 20:27 <DIR> --dsh--- C:\found.000
2009-07-19 19:36 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-19 19:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 19:36 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-19 18:26 691 a------- c:\users\owner\appdata\roaming\GetValue.vbs
2009-07-19 18:26 35 a------- c:\users\owner\appdata\roaming\SetValue.bat
2009-07-19 15:18 5,008 a------- c:\windows\system32\tmp.reg
2009-07-19 14:55 <DIR> --d----- c:\windows\pss
2009-07-15 00:59 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 00:59 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 00:59 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 00:59 34,304 a------- c:\windows\system32\atmlib.dll
2009-07-15 00:59 23,552 a------- c:\windows\system32\lpk.dll
2009-07-15 00:59 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-11 10:16 55,640 a------- c:\windows\system32\drivers\avgntflt.sys

==================== Find3M ====================

2009-07-23 18:30 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-23 18:30 86,016 a------- c:\windows\inf\infstor.dat
2009-07-23 18:30 51,200 a------- c:\windows\inf\infpub.dat
2009-07-23 16:33 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-02-27 11:51 60,744 a------- c:\users\owner\g2mdlhlpx.exe
2008-10-05 10:25 87,608 a------- c:\users\owner\appdata\roaming\inst.exe
2008-10-05 10:25 47,360 a------- c:\users\owner\appdata\roaming\pcouffin.sys
2008-06-17 10:41 100,200 a------- c:\users\owner\DimdimSetup.exe
2008-05-04 14:30 60,968 a------- c:\users\owner\GoToAssistDownloadHelper.exe
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-27 11:57 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-27 11:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-12 19:48 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-12 19:48 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 8:24:28.07 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:09 AM

Posted 02 August 2009 - 05:52 AM

Hi bbehling,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

I will be back soon with the first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:09 AM

Posted 02 August 2009 - 06:39 AM

The DDS log is clean. :thumbup2:

Please clean out your temp files/cookies/cache

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.


Next we shall check for rootkits. If you have had this cleaned at a shop then this will be clean.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Let's also attempt to change all policies back to the default.

1. Download FixPolicies to your Desktop.

2. Double-click FixPolicies.exe.
3. Click the Install button on the bottom toolbar of the box that
will open.
The program will create a new folder called FixPolicies.
4. Double-click to open the new folder, and then double-click
the file within: Fix_policies.cmd
A black box will briefly appear and then close.
5. Reboot the computer so the changes can take effect.

Let me know that you have carried out these steps and post the Gmer log in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 02 August 2009 - 07:40 AM

should I remove or disable the virus protection the shop told me to download named "AVAST on line scanner " before I perform these steps?

#9 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 02 August 2009 - 08:15 AM

i disabled avast before i performed the steps. when i ran gmer the screen went blue after a minute and got a message a program was trying to write to read only memory. that is where i currently stand , it didnt generate a log.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:09 AM

Posted 02 August 2009 - 08:35 AM

Try this scanner instead. Yes, please keep the AV disabled during the fix.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#11 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 02 August 2009 - 05:20 PM

rootrepeal wont run correctly. Before i start it i get "could not read the boot sector. Try adjusting the disc access level in the options dialog"message . after i close that message 4 or 5 times it runs but eventually just closes and doesnt generate a log. I have tried toadjust the disc acces levels and ran in safe mode and got the same result. Also tried gmer in safe mode and it blue sceened. what should i try next?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:09 AM

Posted 02 August 2009 - 07:27 PM

Sounds like something is blocking their running.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 02 August 2009 - 10:20 PM

Combofix ran and it produced the log but I can't access it because I get the message illegal operation on a registry key that has been marked for deletion. Anything I click on gives that message now. Iam sending this reply on my phone because I can't launch a browser or anything else. ????

#14 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 03 August 2009 - 08:29 AM

I decided to restart my computer . the combofix log is attached

Attached Files



#15 bbehling

bbehling
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 03 August 2009 - 08:32 AM

Here is the combofix log posted, not sure which way you perfer

ComboFix 09-08-01.09 - Owner 08/02/2009 22:25.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.1915 [GMT -4:00]
Running from: c:\users\Owner\Desktop\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2732826977-1390623016-2335831479-1001
c:\$recycle.bin\S-1-5-21-2732826977-1390623016-2335831479-500
c:\users\Owner\AppData\Roaming\inst.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\System32\drivers\ESQULbtfxxtxemvwxqvbxiiieentvubgpbxrm.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\ESQULeeffrfvidqrrjcvlkpcekwtpnutqsnts.dll
c:\windows\system32\ESQULspcnvqqexcjriqqnseonjrrmrwarivys.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-03 to 2009-08-03 )))))))))))))))))))))))))))))))
.

2009-08-03 02:37 . 2009-08-03 02:38 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-08-02 20:12 . 2009-08-02 20:12 0 ----a-w- c:\windows\settings.dat
2009-08-02 20:02 . 2009-08-02 20:02 -------- d-----w- c:\users\Owner\AppData\Local\Adobe
2009-08-02 14:09 . 2009-08-02 18:22 15 ----a-w- c:\windows\system32\settings.dat
2009-07-30 15:55 . 2009-07-30 16:00 -------- d-----w- c:\program files\Timewise Desktop
2009-07-29 07:59 . 2009-07-18 11:35 828416 ----a-w- c:\windows\system32\wininet.dll
2009-07-29 07:59 . 2009-07-18 16:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-28 21:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-28 21:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-28 21:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-28 21:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-28 21:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-28 21:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-28 21:33 . 2009-02-05 20:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-07-28 21:33 . 2009-07-28 21:33 -------- d-----w- c:\program files\Alwil Software
2009-07-28 21:29 . 2009-07-29 19:44 -------- d-----w- c:\progra~2\AVG Security Toolbar
2009-07-28 21:24 . 2009-07-28 21:24 -------- d-----w- c:\program files\AVG
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\users\Owner\AppData\Roaming\AVG8
2009-07-23 21:22 . 2009-07-23 21:22 -------- d-----w- c:\users\Owner\{0dabf14a-e6fe-4bf4-ab51-58aef53d946d}
2009-07-23 21:20 . 2009-07-23 21:20 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-23 21:18 . 2009-08-01 18:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-23 21:17 . 2009-07-23 21:17 -------- d-----w- c:\program files\Microsoft
2009-07-23 20:33 . 2009-07-23 20:33 -------- d-----w- c:\windows\system32\ca-ES
2009-07-23 20:33 . 2009-07-23 20:33 -------- d-----w- c:\windows\system32\eu-ES
2009-07-23 20:33 . 2009-07-23 20:33 -------- d-----w- c:\windows\system32\vi-VN
2009-07-23 20:19 . 2009-07-23 20:19 -------- d-----w- c:\windows\system32\EventProviders
2009-07-23 20:18 . 2009-04-11 05:03 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-07-23 20:18 . 2009-04-11 06:28 1081344 ----a-w- c:\windows\system32\SLCExt.dll
2009-07-23 20:18 . 2009-04-11 06:27 3408896 ----a-w- c:\windows\system32\SLsvc.exe
2009-07-23 20:18 . 2009-04-11 06:28 2134528 ----a-w- c:\windows\system32\FunctionDiscoveryFolder.dll
2009-07-23 20:18 . 2009-04-11 06:27 65536 ----a-w- c:\windows\system32\DevicePairingWizard.exe
2009-07-23 20:18 . 2009-04-11 05:03 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-07-23 20:18 . 2009-04-11 06:28 1480704 ----a-w- c:\windows\system32\mssrch.dll
2009-07-23 20:18 . 2009-04-11 02:52 684032 ----a-w- c:\windows\system32\drivers\spsys.sys
2009-07-23 20:16 . 2009-04-11 06:28 342528 ----a-w- c:\windows\system32\zipfldr.dll
2009-07-22 13:59 . 2009-07-22 14:00 265925560 ----a-w- c:\users\Owner\{33E28130-4E1E-4676-835A-98395C3BC3BB}.zip
2009-07-21 21:23 . 2009-07-21 21:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-20 12:34 . 2009-07-20 12:34 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-07-20 00:56 . 2009-07-20 00:56 -------- d-----w- c:\progra~2\Cobian
2009-07-20 00:55 . 2009-07-20 00:56 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-20 00:27 . 2009-07-20 00:27 -------- d-sh--w- C:\found.000
2009-07-19 23:36 . 2009-07-20 12:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 23:36 . 2009-07-19 23:36 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-19 22:26 . 2009-07-19 22:26 35 ----a-w- c:\users\Owner\AppData\Roaming\SetValue.bat
2009-07-18 15:57 . 2009-07-18 15:57 -------- d-----w- c:\windows\Sun
2009-07-18 15:57 . 2009-07-18 15:57 1915520 ----a-w- c:\users\Owner\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-15 04:59 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 04:59 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 04:59 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 04:59 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-15 04:59 . 2009-04-11 06:28 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-07-15 04:59 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-11 14:16 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 01:00 . 2008-06-13 06:02 680 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2009-07-28 17:25 . 2008-04-28 23:06 -------- d-----w- c:\program files\Common Files\aol
2009-07-28 17:24 . 2008-04-28 23:06 -------- d-----w- c:\progra~2\AOL
2009-07-28 17:23 . 2008-04-28 23:07 -------- d-----w- c:\users\Owner\AppData\Roaming\AOL
2009-07-23 23:09 . 2008-02-14 02:15 -------- d-----w- c:\program files\Google
2009-07-23 22:45 . 2008-05-03 21:09 -------- d-----w- c:\program files\Common Files\Real
2009-07-23 22:39 . 2009-06-20 17:19 -------- d-----w- c:\program files\Yahoo!
2009-07-23 22:30 . 2009-07-23 22:30 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-23 20:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-23 20:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-23 20:33 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-23 20:28 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-07-22 16:53 . 2008-04-27 18:26 -------- d-----w- c:\users\Owner\AppData\Roaming\TOSHIBA
2009-07-21 21:22 . 2008-02-14 02:01 -------- d-----w- c:\program files\Java
2009-07-19 22:26 . 2009-07-19 22:26 691 ----a-w- c:\users\Owner\AppData\Roaming\GetValue.vbs
2009-07-19 00:23 . 2008-07-27 11:46 -------- d-----w- c:\users\Owner\AppData\Roaming\dvdcss
2009-07-15 07:04 . 2008-03-11 09:04 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-29 20:27 . 2008-04-25 14:31 112792 ------w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-27 21:46 . 2009-06-27 21:46 -------- d-----w- c:\users\Owner\AppData\Roaming\AVS4YOU
2009-06-27 21:46 . 2009-06-27 21:46 -------- d-----w- c:\progra~2\AVS4YOU
2009-06-27 21:46 . 2009-06-27 21:46 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-27 21:46 . 2009-06-27 21:46 -------- d-----w- c:\program files\AVS4YOU
2009-06-25 18:01 . 2008-04-28 01:08 -------- d-----w- c:\progra~2\CanonIJPLM
2009-06-20 17:19 . 2009-06-20 17:19 -------- d-----w- c:\users\Owner\AppData\Roaming\IObit
2009-06-20 17:19 . 2009-06-20 17:19 -------- d-----w- c:\users\Owner\AppData\Roaming\Yahoo!
2009-06-20 17:19 . 2009-06-20 17:19 -------- d-----w- c:\program files\IObit
2009-06-18 14:48 . 2008-03-11 09:06 -------- d-----w- c:\program files\Microsoft Works
2009-05-26 12:46 . 2009-05-26 12:46 390664 ----a-w- c:\users\Owner\AppData\Roaming\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-26 12:46 . 2009-05-26 12:46 390664 ----a-w- c:\users\Owner\AppData\Roaming\Real\Update\temp\~Upg5\RealPlayer11.exe
2009-05-25 10:50 . 2009-05-25 10:50 164864 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-05-15 07:21 . 2009-05-15 07:21 390664 ----a-w- c:\users\Owner\AppData\Roaming\Real\Update\temp\~Upg4\RealPlayer11.exe
2009-07-24 18:10 . 2009-07-23 22:42 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-04-25 14:30 . 2008-04-25 14:30 14 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-04-25 14:30 . 2008-04-25 14:30 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-27 18:35 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-21 1826816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GameConsoleService"=3 (0x3)
"pinger"=2 (0x2)
"TODDSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::18,d7,bb,d4,d5,0b,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{ABE5C3EE-DF8D-4B59-8758-489E3617E6C3}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{EF44457B-523F-4460-9386-717BE6189071}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EC923C02-64F9-4DA6-9E09-89CD997073A0}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{10375E47-2BB1-40FF-B3A3-EF39F985B9A4}"= UDP:c:\program files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{2ADA0BBA-2A6E-4E31-8B96-74E6676A1177}"= TCP:c:\program files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{61D1AAC9-273E-45CE-A5AD-3F442FC8374C}"= UDP:c:\program files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{7BDD7EEB-F63E-4C38-9761-0B7A6912B3CA}"= TCP:c:\program files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{79922A06-2921-47DD-AA8A-AE2FA2133B84}"= UDP:c:\program files\Common Files\aol\1209423966\ee\aolsoftware.exe:AOL Shared Components
"{FC73994F-08FA-4A15-A5FB-088E31A6A6AD}"= TCP:c:\program files\Common Files\aol\1209423966\ee\aolsoftware.exe:AOL Shared Components
"{CB9E96F5-22F8-4386-9BD3-0F7008999384}"= UDP:c:\program files\AOL 9.0\waol.exe:AOL
"{FAE779EE-7C02-49F3-8B82-2B0F2936BC81}"= TCP:c:\program files\AOL 9.0\waol.exe:AOL
"{9AD32836-097A-4EAE-9F8E-7DD51A687CD8}"= UDP:c:\program files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{1B981B90-E04C-458C-AEED-95C073DDC696}"= TCP:c:\program files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{C42C4BB5-838C-4F19-B9A8-AE864458AA45}"= UDP:c:\program files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{31FD7B5F-7123-40A9-80EA-557D16C6420E}"= TCP:c:\program files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{705B2F5C-54B1-401A-94F7-8A04D5653CBC}"= UDP:c:\program files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C74B177A-4CC9-45CB-8118-A37C02277993}"= TCP:c:\program files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{B690D08B-03FE-4F92-86D6-5F6A8E5B404A}"= UDP:c:\program files\AOL 9.1\waol.exe:AOL
"{6774E50B-C247-4630-B27D-565CC778ACDD}"= TCP:c:\program files\AOL 9.1\waol.exe:AOL
"TCP Query User{93CE655A-0EB8-48DA-AF10-E1F635AC1004}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{B91FF6EF-1EBD-458F-81E0-5D048F0676DA}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{53F14867-EAD7-469E-8A6C-7E438E363084}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9212656C-EED6-4E78-9884-DF4633BA57A2}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{14B80109-02F2-4A47-8A54-4BCCB0A27128}"= UDP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{647A63E2-7ADB-476B-926E-448A2B4745CA}"= TCP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{799BEDE3-5290-4A37-AB7E-2B65F323DD8A}"= UDP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"{D9B2F94A-89DA-49D0-BE3B-85446385FD4D}"= TCP:c:\program files\SightSpeed\SightSpeed.exe:SightSpeed
"TCP Query User{146957D2-CB8F-4568-BF5A-A6267C4A723A}d:\\bin\\ia\\core\\mdm_util.exe"= UDP:d:\bin\ia\core\mdm_util.exe:MDM_Util
"UDP Query User{72515629-D2C9-4CA1-A85C-E10F2AD44A70}d:\\bin\\ia\\core\\mdm_util.exe"= TCP:d:\bin\ia\core\mdm_util.exe:MDM_Util
"TCP Query User{DB64C799-27D4-464B-821E-C6C37240C5F2}c:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= UDP:c:\program files\java\jre1.6.0_03\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{FD2B7155-53D3-40FC-94ED-7C1AEB560381}c:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= TCP:c:\program files\java\jre1.6.0_03\bin\javaw.exe:Java™ Platform SE binary

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [7/28/2009 05:33 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [7/28/2009 05:33 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [7/28/2009 05:33 PM 51792]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [3/30/2009 04:28 PM 1533808]
R3 dfmirage;dfmirage;c:\windows\System32\drivers\dfmirage.sys [11/27/2005 07:25 PM 31896]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2/13/2008 09:44 PM 7168]
S4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [12/25/2007 05:07 PM 40960]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [12/3/2007 08:03 PM 126976]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mfr.mlxchange.com/5.0.06.2865/Control/IRCSharc.cab
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\5y0kz89l.default\
FF - prefs.js: browser.search.defaulturl - www.google.com
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npxsciter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\System32\wlanext.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-08-03 22:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-03 02:47

Pre-Run: 85,727,137,792 bytes free
Post-Run: 85,584,691,200 bytes free

277 --- E O F --- 2009-08-01 12:31




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users