Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with NTOSKRNL-HOOK


  • This topic is locked This topic is locked
32 replies to this topic

#1 Aroses

Aroses

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 28 August 2009 - 06:42 PM

I keep getting blue screen dumping files. I cannot copy the error message, because I only get it in regular mode. I am in safe mode right now to complete this request. I Cannot remove virus. :( Please assist in removing virus.

Thanks



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 3/10/2008 3:41:35 PM
System Uptime: 8/25/2009 10:08:24 PM (67 hours ago)

Motherboard: TOSHIBA | | IALAA
Processor: AMD Turion™ 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 148 GiB total, 90.643 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: RAS Async Adapter
Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Manufacturer: Microsoft
Name: RAS Async Adapter
PNP Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Service: AsyncMac

==== System Restore Points ===================

RP236: 8/20/2009 3:52:46 PM - Windows Update
RP237: 8/21/2009 9:44:12 PM - Restore Operation

==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
ALPS Touch Pad Driver
Amazon MP3 Downloader 1.0.5
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
ATI Catalyst Install Manager
Bluetooth Stack for Windows by Toshiba
Bonjour
Canon Inkjet Printer Driver Add-On Module
Canon Utilities Easy-PhotoPrint EX
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
doubleTwist
DVD MovieFactory for TOSHIBA
ffdshow [rev 2527] [2008-12-19]
GearDrvs
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java™ 6 Update 3
McAfee SecurityCenter
Memeo AutoBackup
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Norton 360
Picasa 2
QuickTime
RealPlayer
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Encoder (KB954156)
Skins
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Games
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TurboTax 2008
TurboTax 2008 wcoiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb972691)
Utility Common Driver
Watchtower Library 2008 - English
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Xvidcoder

==== Event Viewer Messages From Past Week ========

8/25/2009 8:48:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
8/25/2009 10:01:21 PM, Error: EventLog [6008] - The previous system shutdown at 9:59:02 PM on 8/25/2009 was unexpected.
8/22/2009 12:46:08 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
8/22/2009 12:05:16 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfehidk spldr Wanarpv6
8/22/2009 1:36:37 AM, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The RPC server is unavailable.
8/22/2009 1:36:37 AM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The RPC server is unavailable.
8/22/2009 1:04:04 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
8/21/2009 9:53:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
8/21/2009 9:43:10 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/21/2009 9:36:42 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 001F3A677EBA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/21/2009 9:34:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
8/21/2009 9:33:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
8/21/2009 9:30:02 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC jswpslwf mfehidk MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:02 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/21/2009 9:30:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
8/21/2009 9:29:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
8/21/2009 9:29:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
8/21/2009 9:29:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
8/21/2009 9:29:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/21/2009 9:29:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
8/21/2009 9:29:06 PM, Error: EventLog [6008] - The previous system shutdown at 9:26:13 PM on 8/21/2009 was unexpected.
8/21/2009 9:25:43 PM, Error: Service Control Manager [7034] - The Windows MSI service terminated unexpectedly. It has done this 1 time(s).
8/21/2009 11:51:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
8/21/2009 11:46:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
8/21/2009 11:17:01 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr Wanarpv6
8/21/2009 11:16:18 PM, Error: EventLog [6008] - The previous system shutdown at 11:12:28 PM on 8/21/2009 was unexpected.
8/21/2009 11:11:52 PM, Error: EventLog [6008] - The previous system shutdown at 11:09:34 PM on 8/21/2009 was unexpected.

==== End Of File ===========================

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by April at 17:10:02.98 on Fri 08/28/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1917.887 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Users\April\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [doubleTwist] c:\program files\doubletwist 2.0\DoubleTwist.DeviceHelper.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [DLBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBTtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 85.255.112.80,85.255.112.168
TCP: {EF26E42F-8BAE-4B08-B45E-D88349FF4A4B} = 85.255.112.80,85.255.112.168
TCP: {F8C30FCA-854C-4FF6-B97A-11E0723C6B4D} = 85.255.112.80,85.255.112.168

================= FIREFOX ===================

FF - ProfilePath - c:\users\april\appdata\roaming\mozilla\firefox\profiles\h9bwafbj.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\april\appdata\roaming\mozilla\firefox\profiles\h9bwafbj.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-3-10 20352]
S2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [2009-7-6 6656]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
S2 Windows MSI;Windows MSI;\\?\globalroot\systemroot\system32\msihost.exe --> \\?\globalroot\systemroot\system32\msihost.exe [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-9 33176]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-3-10 937984]

=============== Created Last 30 ================

2009-08-25 21:40 <DIR> a-d----- c:\programdata\TEMP
2009-08-25 21:40 506,368 a------- c:\windows\system32\msxml.dll
2009-08-14 18:54 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-14 18:54 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-14 18:54 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-14 18:54 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-14 18:54 270,848 a------- c:\windows\system32\schannel.dll
2009-08-14 18:54 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-14 18:54 72,704 a------- c:\windows\system32\secur32.dll
2009-08-14 18:54 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 21:32 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 21:32 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 21:32 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 21:32 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 21:31 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 21:31 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 21:31 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 21:31 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 21:31 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 21:31 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 21:31 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-08 17:24 <DIR> --d----- c:\programdata\doubleTwist Corporation
2009-08-08 17:24 <DIR> --d----- c:\progra~2\doubleTwist Corporation
2009-08-08 17:24 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-08-08 17:24 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-08-08 17:24 <DIR> --d----- c:\program files\ffdshow
2009-08-08 17:24 563,712 a------- c:\windows\system32\Redemption.dll
2009-08-08 17:23 <DIR> --d----- c:\program files\doubleTwist 2.0
2009-08-07 21:32 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-07 21:32 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-07 21:31 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-07 21:31 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-07 21:31 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-07 21:31 11,264 a------- c:\windows\system32\icardres.dll
2009-08-07 21:31 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-07 21:31 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-07 21:17 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-07 21:17 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-07 21:17 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-07 21:16 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-07 21:15 83,968 a------- c:\windows\system32\mscories.dll
2009-08-06 19:29 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-08-25 21:58 318,976 a------- c:\windows\system32\CF14489.exe
2009-08-23 03:09 229,376 a------- c:\windows\PEV.exe
2009-08-22 00:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-22 00:40 86,016 a------- c:\windows\inf\infstor.dat
2009-08-22 00:40 51,200 a------- c:\windows\inf\infpub.dat
2009-07-18 10:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 10:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 03:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-06 16:37 6,656 a------- c:\windows\system32\drivers\iPodDrv.sys
2009-06-15 09:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 06:52 289,792 a------- c:\windows\system32\atmfd.dll
2008-06-19 03:10 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-09-20 07:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-09-20 07:57 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-09-20 07:57 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:10:22.42 ===============

Attached Files


Edited by SifuMike, 01 September 2009 - 03:31 PM.
insert log for ease of reading


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 01 September 2009 - 03:25 PM

Hello Aroses,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 01 September 2009 - 03:33 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 10:27 PM

Thanks for your help.

Attached is checkup.txt


Results of screen317's Security Check version 0.98.9
Windows Vista Service Pack 1
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Norton 360


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent



``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Attached Files


Edited by SifuMike, 02 September 2009 - 10:37 PM.
extracted log for ease of reading


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 10:36 PM

Hi Aroses,

Please do not attach any of your logs. They are too hard to read that way.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 10:42 PM

Hi SifuMike,

Sorry I thought that was the way to respond. I am trying to scan with Malwarebytes, but after it downloaded, I cannot open the program.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 10:46 PM

Hi Aroses,


No, attaching not normally used. Too hard to read the attached files. :(

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program Files\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe3, double click newtool3.exe to proceed in running a Full scan.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Edited by SifuMike, 02 September 2009 - 10:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 10:54 PM

I did the scan, it did not ask me to remove anything. Here are results

5/31/2008 8:42:37 PM Scan Started: 05/31/2008 08:42:37 PM
5/31/2008 9:44:03 PM Total objects scanned: 257
5/31/2008 9:44:03 PM Objects detected: 0
5/31/2008 9:44:03 PM Scan Done: 05/31/2008 09:44:03 PM
2/11/2009 6:08:28 PM Scan Started: 02/11/2009 06:08:28 PM
2/11/2009 7:52:00 PM Total objects scanned: 238027
2/11/2009 7:52:00 PM Objects detected: 0
2/11/2009 7:52:00 PM Scan Done: 02/11/2009 07:52:00 PM
8/21/2009 9:54:26 PM Scan Started: 08/21/2009 09:54:26 PM
8/21/2009 9:54:28 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/21/2009 10:06:38 PM Scan Started: 08/21/2009 10:06:38 PM
8/21/2009 10:06:39 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/21/2009 10:06:54 PM Total objects scanned: 10329
8/21/2009 10:06:54 PM Objects detected: 1
8/21/2009 10:06:54 PM Scan Done: 08/21/2009 10:06:54 PM
8/21/2009 10:19:43 PM Scan Started: 08/21/2009 10:19:43 PM
8/21/2009 10:19:46 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/21/2009 11:19:34 PM Scan Started: 08/21/2009 11:19:34 PM
8/21/2009 11:19:35 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/21/2009 11:19:55 PM Total objects scanned: 41
8/21/2009 11:19:55 PM Objects detected: 1
8/21/2009 11:19:55 PM Scan Done: 08/21/2009 11:19:55 PM
8/21/2009 11:20:05 PM Scan Started: 08/21/2009 11:20:05 PM
8/21/2009 11:20:06 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/21/2009 11:39:57 PM Scan Started: 08/21/2009 11:39:57 PM
8/21/2009 11:39:58 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/22/2009 12:02:00 AM Total objects scanned: 18769
8/22/2009 12:02:00 AM Objects detected: 1
8/22/2009 12:02:00 AM Scan Done: 08/22/2009 00:02:00 AM
8/22/2009 1:16:40 AM Scan Started: 08/22/2009 01:16:40 AM
8/22/2009 1:16:41 AM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/22/2009 1:24:34 AM Total objects scanned: 127218
8/22/2009 1:24:34 AM Objects detected: 1
8/22/2009 1:24:34 AM Scan Done: 08/22/2009 01:24:34 AM
8/25/2009 9:17:52 PM Scan Started: 08/25/2009 09:17:52 PM
8/25/2009 9:17:54 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/25/2009 9:25:56 PM Total objects scanned: 127170
8/25/2009 9:25:56 PM Objects detected: 1
8/25/2009 9:25:56 PM Scan Done: 08/25/2009 09:25:56 PM
8/25/2009 10:17:05 PM Scan Started: 08/25/2009 10:17:05 PM
8/25/2009 10:17:06 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/25/2009 11:49:35 PM Total objects scanned: 295697
8/25/2009 11:49:35 PM Objects detected: 1
8/25/2009 11:49:35 PM Scan Done: 08/25/2009 11:49:35 PM
9/2/2009 9:43:11 PM Scan Started: 09/02/2009 09:43:11 PM
9/2/2009 9:43:13 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
9/2/2009 9:51:09 PM Total objects scanned: 127258
9/2/2009 9:51:09 PM Objects detected: 1
9/2/2009 9:51:09 PM Scan Done: 09/02/2009 09:51:09 PM

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 11:11 PM

That is not a Malwarebytes log. :( I need to see the Malwarebytes log.

Where did you get that log you posted? Not from Malwarebytes.



The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

It should look somehting like this:

Malwarebytes' Anti-Malware 1.29
Database version: 1295
Windows 5.1.2600 Service Pack 3

10/19/2008 10:25:58 PM
mbam-log-2008-10-19 (22-25-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 133665
Time elapsed: 41 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE


Please post it.

Edited by SifuMike, 02 September 2009 - 11:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 11:20 PM

I cannot get the malware to run. I thought that was it. I changed the name to newtool.exe3, it still will not run.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 11:23 PM

I thought that was it. I changed the name to newtool.exe3, it still will not run.


If it wont run, how can it make a log? :(


Where did you get that log from that you posted? Not from Malwarebytes.

Edited by SifuMike, 02 September 2009 - 11:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 11:26 PM

I can do a right click on program, it says scan with Malwarebytes, I thought it was scanning, there was a scan in my tray. It must have been from McAffe

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 11:32 PM

Yes, it must have been from McAfee, as it definiteily is not from Malwarebytes. :(

Try this random renamer for MBAM http://kixhelp.com/wr/files/mb/randmbam.exe

Then see if Malwarebytes will run. Post the Malwarebytes log (NOT a McAfee log).
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 11:49 PM

This is the error I keep getting

Malwarebytes Anti-Malware has stopped working.

A problem caused the program to stop working correctly.
Windows will close the program and notify you if a solution is available.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:26 AM

Posted 02 September 2009 - 11:53 PM

Hi,

Ok, we shall move on. :(

Are you running two antivirus programs? McAfee SecurityCenter and Norton 360 ?

Edited by SifuMike, 02 September 2009 - 11:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Aroses

Aroses
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 02 September 2009 - 11:56 PM

I did get the Malware to run. It is scanning now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users