Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect popup windows


  • This topic is locked This topic is locked
7 replies to this topic

#1 thebook99

thebook99

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 28 March 2010 - 11:19 AM

Have been getting redirected when clicking to website links from yahoo search engine, and/or also getting random popup windows, that look like some sort of search engine.

I really appreciate all of the help you've been giving me with this issue.

Steps 6-9 all performed well, with no issues...

DDS.txt...

DDS (Ver_10-03-17.01) - NTFSx86
Run by admin at 10:32:35.50 on Sun 03/28/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.905 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Microsoft SQL Server\MSSQL$SJMSYSTEMS\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\DllHost.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\admin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {13149882-F480-4F6B-8C6A-0764F75B99ED} - hxxp://plug-in.reallusion.com/CrazyTalk4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.tscmaps.com/shared/viewer/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\symds.sys [2010-3-14 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\symefa.sys [2010-3-14 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-3-14 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20100326.001\IDSvix86.sys [2010-3-26 343088]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-4-9 20352]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\ironx86.sys [2010-3-14 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1105000.07f\symtdiv.sys [2010-3-14 340016]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 MSSQL$SJMSYSTEMS;MSSQL$SJMSYSTEMS;c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlservr.exe -ssjmsystems --> c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlservr.exe -sSJMSYSTEMS [?]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccsvchst.exe [2010-3-14 126392]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-1-21 583640]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-13 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-4-9 937984]
S3 SQLAgent$SJMSYSTEMS;SQLAgent$SJMSYSTEMS;c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlagent.exe -i sjmsystems --> c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlagent.EXE -i SJMSYSTEMS [?]

=============== Created Last 30 ================

2010-03-28 15:27:41 0 ----a-w- c:\users\admin\defogger_reenable
2010-03-26 04:10:44 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-19 22:05:41 0 d-----w- c:\program files\Autodesk
2010-03-17 22:38:50 0 d-----w- C:\BSIEform
2010-03-16 03:45:38 0 d-----w- c:\program files\Windows Installer Clean Up
2010-03-16 03:45:08 0 d-----w- c:\program files\MSECACHE
2010-03-14 16:19:45 262354901 ----a-w- c:\windows\MEMORY.DMP
2010-03-14 16:15:32 65536 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TM.blf
2010-03-14 16:15:32 524288 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TMContainer00000000000000000002.regtrans-ms
2010-03-14 16:15:32 524288 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TMContainer00000000000000000001.regtrans-ms
2010-03-14 06:50:27 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-14 06:50:26 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-14 06:50:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-13 23:58:11 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-13 23:58:11 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-13 23:58:11 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-13 23:57:37 0 d-----w- c:\windows\system32\drivers\NAV
2010-03-13 23:57:35 0 d-----w- c:\program files\Norton AntiVirus
2010-03-13 23:57:34 0 d-----w- c:\programdata\Norton
2010-03-13 23:57:18 0 d-----w- c:\programdata\NortonInstaller
2010-03-13 23:57:18 0 d-----w- c:\program files\NortonInstaller
2010-03-12 14:30:14 0 d-----w- c:\program files\AVG
2010-03-12 04:02:39 65536 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TM.blf
2010-03-12 04:02:39 524288 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TMContainer00000000000000000002.regtrans-ms
2010-03-12 04:02:39 524288 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TMContainer00000000000000000001.regtrans-ms
2010-03-12 03:49:14 0 d-----w- c:\users\admin\appdata\roaming\Facebook
2010-03-03 19:35:28 0 d-----w- c:\program files\iPod
2010-03-03 19:35:16 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-03-18 01:21:10 46279 ----a-w- c:\program files\INSTALL.LOG
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-26 14:06:22 385133 ----a-w- c:\windows\system32\GPMicrGP.dll
2010-01-26 14:05:36 1359980 ----a-w- c:\windows\system32\GPDepGP.dll
2010-01-26 14:03:42 229485 ----a-w- c:\windows\system32\GPOFACGP.dll
2010-01-26 14:03:36 319598 ----a-w- c:\windows\system32\GPEFundGP.dll
2010-01-26 14:03:32 3125362 ----a-w- c:\windows\system32\GPInterfaceGP.dll
2010-01-26 14:03:00 802924 ----a-w- c:\windows\system32\GPLibGP.dll
2010-01-26 14:02:52 974958 ----a-w- c:\windows\system32\FillersGP.dll
2010-01-26 14:02:42 36978 ----a-w- c:\windows\system32\GPSignatureGP.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-14 21:47:47 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-14 21:47:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-14 21:47:27 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-20 15:31:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-17 02:13:02 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-01 16:44:28 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-02-04 21:31:27 96 --sha-w- c:\windows\system32\MS3F0A.drv
2008-08-08 22:55:47 13 --sh--r- c:\windows\system32\drivers\fbd.sys

============= FINISH: 10:34:28.02 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:39 AM

Posted 28 March 2010 - 12:18 PM

Hi,

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 thebook99

thebook99
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 28 March 2010 - 04:56 PM

Thanks for helping...here's the combofix.txt log

ComboFix 10-03-28.01 - admin 03/28/2010 16:28:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1225 [GMT -5:00]
Running from: c:\users\admin\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\RegGenie
c:\program files\RegGenie\Backups\40006.4237848611
c:\program files\RegGenie\RegGenie.ini
c:\users\admin\AppData\Local\{3A848215-C778-43F4-8640-8BA01473557F}
c:\users\admin\AppData\Local\{3A848215-C778-43F4-8640-8BA01473557F}\chrome.manifest
c:\users\admin\AppData\Local\{3A848215-C778-43F4-8640-8BA01473557F}\chrome\content\_cfg.js
c:\users\admin\AppData\Local\{3A848215-C778-43F4-8640-8BA01473557F}\chrome\content\overlay.xul
c:\users\admin\AppData\Local\{3A848215-C778-43F4-8640-8BA01473557F}\install.rdf
c:\windows\system32\Ijl11.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 21:40 . 2010-03-28 21:44 -------- d-----w- c:\users\admin\AppData\Local\temp
2010-03-28 21:40 . 2010-03-28 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-26 21:31 . 2010-03-28 01:23 -------- d-----w- c:\users\admin\AppData\Local\Adobe
2010-03-26 04:10 . 2010-03-26 04:10 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-22 19:52 . 2010-03-26 00:36 120 ----a-w- c:\users\admin\AppData\Local\Aqovaripec.dat
2010-03-22 19:52 . 2010-03-25 15:27 0 ----a-w- c:\users\admin\AppData\Local\Fbilesicog.bin
2010-03-19 22:05 . 2010-03-19 22:05 -------- d-----w- c:\program files\Autodesk
2010-03-17 22:38 . 2010-03-18 01:28 -------- d-----w- C:\BSIEform
2010-03-16 03:45 . 2010-03-16 03:45 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-03-16 03:45 . 2010-03-16 03:45 -------- d-----w- c:\program files\MSECACHE
2010-03-14 22:24 . 2010-03-23 22:23 -------- d-----w- c:\users\admin\AppData\Local\CrashDumps
2010-03-14 06:50 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-14 06:50 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-14 06:50 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-13 23:58 . 2010-03-13 23:58 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-13 23:57 . 2010-03-14 15:17 -------- d-----w- c:\windows\system32\drivers\NAV
2010-03-13 23:57 . 2010-03-13 23:57 -------- d-----w- c:\program files\Norton AntiVirus
2010-03-13 23:57 . 2010-03-13 23:59 -------- d-----w- c:\programdata\Norton
2010-03-13 23:57 . 2010-03-13 23:57 -------- d-----w- c:\programdata\NortonInstaller
2010-03-13 23:57 . 2010-03-13 23:57 -------- d-----w- c:\program files\NortonInstaller
2010-03-12 14:30 . 2010-03-12 14:30 -------- d-----w- c:\program files\AVG
2010-03-12 03:49 . 2010-03-12 03:49 -------- d-----w- c:\users\admin\AppData\Roaming\Facebook
2010-03-03 19:35 . 2010-03-03 19:35 -------- d-----w- c:\program files\iPod
2010-03-03 19:35 . 2010-03-03 19:36 -------- d-----w- c:\program files\iTunes
2010-03-03 19:32 . 2010-03-03 19:32 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 21:42 . 2009-12-17 16:25 -------- d-----w- c:\program files\Common Files\Akamai
2010-03-28 00:04 . 2010-01-02 00:02 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-03-28 00:03 . 2008-02-19 03:14 -------- d-----w- c:\programdata\Symantec
2010-03-28 00:03 . 2008-02-19 03:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-27 20:19 . 2008-08-08 22:56 105632 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-27 20:19 . 2009-07-12 17:31 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-27 05:39 . 2009-09-12 18:08 143976 ----a-w- c:\users\admin\AppData\Roaming\Move Networks\uninstall.exe
2010-03-27 05:39 . 2009-10-15 00:50 5642688 ----a-w- c:\users\admin\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-03-27 05:39 . 2009-07-22 00:34 -------- d-----w- c:\users\admin\AppData\Roaming\Move Networks
2010-03-27 05:27 . 2009-09-29 01:17 -------- d-----w- c:\program files\ABC Amber BlackBerry Converter
2010-03-27 05:27 . 2009-09-29 01:34 -------- d-----w- c:\program files\ABC Amber IPD Merger
2010-03-27 05:25 . 2009-07-28 23:41 -------- d-----w- c:\program files\Virtual Earth 3D
2010-03-26 03:54 . 2009-11-24 05:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-26 03:53 . 2010-03-26 03:53 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-26 01:08 . 2008-11-21 02:51 -------- d-----w- c:\users\admin\AppData\Roaming\Azureus
2010-03-16 03:45 . 2010-03-16 03:45 3584 ----a-r- c:\users\admin\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-03-15 15:36 . 2010-01-21 23:59 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-15 04:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-14 17:53 . 2010-01-06 01:09 -------- d-----w- c:\programdata\HP Product Assistant
2010-03-14 17:53 . 2009-07-12 17:45 -------- d-----w- c:\programdata\FLEXnet
2010-03-14 17:53 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-03-14 17:53 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-03-14 17:53 . 2005-01-02 06:53 -------- d-----w- c:\programdata\Microsoft Help
2010-03-14 17:53 . 2008-02-19 03:31 -------- d-----w- c:\program files\Picasa2
2010-03-14 17:53 . 2005-01-02 06:47 -------- d-----w- c:\program files\Microsoft Works
2010-03-14 17:52 . 2008-09-11 00:54 -------- d-----w- c:\program files\Common Files\Apple
2010-03-14 17:52 . 2009-08-03 22:03 -------- d-----w- c:\program files\Bonjour
2010-03-14 17:52 . 2008-04-09 21:07 -------- d-----w- c:\program files\Apoint2K
2010-03-14 17:52 . 2009-07-26 00:03 -------- d-----w- c:\program files\7-Zip
2010-03-14 00:17 . 2010-03-28 19:05 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\NAVENG.SYS
2010-03-14 00:17 . 2010-03-28 19:05 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\EECTRL.SYS
2010-03-14 00:17 . 2010-03-28 19:05 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\CCERASER.DLL
2010-03-14 00:17 . 2010-03-28 19:05 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\ECMSVR32.DLL
2010-03-14 00:17 . 2010-03-28 19:05 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\NAVENG32.DLL
2010-03-14 00:17 . 2010-03-28 19:05 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\NAVEX32A.DLL
2010-03-14 00:17 . 2010-03-28 19:05 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\NAVEX15.SYS
2010-03-14 00:17 . 2010-03-28 19:05 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\VirusDefs\20100328.003\ERASER.SYS
2010-03-13 23:58 . 2008-02-19 03:14 -------- d-----w- c:\program files\Symantec
2010-03-13 23:58 . 2010-03-13 23:58 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-13 23:58 . 2010-03-13 23:58 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-13 07:51 . 2009-07-03 03:49 1670392 ----a-w- c:\programdata\WildTangent\TOSHIBA Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2010-03-12 04:11 . 2010-03-12 03:49 50354 ----a-w- c:\users\admin\AppData\Roaming\Facebook\uninstall.exe
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\users\admin\AppData\Roaming\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\admin\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-03-03 19:35 . 2008-09-11 00:54 -------- d-----w- c:\programdata\Apple Computer
2010-03-03 19:28 . 2010-03-03 19:28 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-02 22:07 . 2009-09-04 02:46 -------- d-----w- c:\program files\ShowMeTheOdds
2010-02-26 00:28 . 2010-01-03 18:28 -------- d-----w- c:\program files\Photodex Presenter
2010-02-24 15:16 . 2009-10-05 00:26 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-14 23:17 . 2009-07-12 23:09 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-14 23:16 . 2010-02-14 23:17 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-14 23:16 . 2009-07-12 23:09 38784 ----a-w- c:\users\admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-11 18:44 . 2010-02-11 18:44 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\BHRules.dll
2010-02-11 18:44 . 2010-02-11 18:44 1406352 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\BHEngine.dll
2010-02-11 18:44 . 2010-02-11 18:44 676912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\BHDrvx64.sys
2010-02-11 18:44 . 2010-02-11 18:44 536112 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
2010-02-11 18:44 . 2010-02-11 18:44 611216 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\bbRGen.dll
2010-02-08 22:10 . 2008-11-21 02:51 -------- d-----w- c:\program files\Vuze
2010-01-26 14:06 . 2010-01-15 02:41 385133 ----a-w- c:\windows\system32\GPMicrGP.dll
2010-01-26 14:05 . 2010-01-15 02:41 1359980 ----a-w- c:\windows\system32\GPDepGP.dll
2010-01-26 14:03 . 2010-01-15 02:41 229485 ----a-w- c:\windows\system32\GPOFACGP.dll
2010-01-26 14:03 . 2010-01-15 02:41 319598 ----a-w- c:\windows\system32\GPEFundGP.dll
2010-01-26 14:03 . 2010-01-15 02:41 3125362 ----a-w- c:\windows\system32\GPInterfaceGP.dll
2010-01-26 14:03 . 2010-01-15 02:41 802924 ----a-w- c:\windows\system32\GPLibGP.dll
2010-01-26 14:02 . 2010-01-15 02:41 974958 ----a-w- c:\windows\system32\FillersGP.dll
2010-01-26 14:02 . 2010-01-15 02:41 36978 ----a-w- c:\windows\system32\GPSignatureGP.dll
2010-01-25 12:00 . 2010-02-23 22:03 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-23 22:03 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-23 22:03 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-23 22:03 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-23 22:03 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-23 22:03 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-23 22:03 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-23 22:03 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-23 22:03 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-23 22:03 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-07 21:07 . 2009-11-24 05:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-24 05:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 15:39 . 2010-02-23 22:03 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38 . 2010-02-23 22:03 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30 . 2010-02-23 22:03 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38 . 2010-01-21 20:27 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 20:27 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-21 20:27 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-21 20:27 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-02-04 21:31 . 2009-02-04 21:31 96 --sha-w- c:\windows\System32\MS3F0A.drv
2008-08-08 22:55 . 2008-08-08 22:55 13 --sh--r- c:\windows\System32\drivers\fbd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HWSetup"="\HWSetup.exe hwSetUP" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-02 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2009-10-14 104408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-1-18 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:c1,ec,c7,55,ef,68,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1566604109-2829095147-3050010729-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 SQLAgent$SJMSYSTEMS;SQLAgent$SJMSYSTEMS;c:\program files\Microsoft SQL Server\MSSQL$SJMSYSTEMS\Binn\sqlagent.EXE [2002-12-17 311872]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1105000.07F\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1105000.07F\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1105000.07F\ccHPx86.sys [2009-12-09 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.1.0.19\Definitions\IPSDefs\20100326.001\IDSvix86.sys [2009-10-28 343088]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1105000.07F\Ironx86.SYS [2009-11-26 116272]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1105000.07F\SYMTDIV.SYS [2009-11-22 340016]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 MSSQL$SJMSYSTEMS;MSSQL$SJMSYSTEMS;c:\program files\Microsoft SQL Server\MSSQL$SJMSYSTEMS\Binn\sqlservr.exe [2002-12-17 7520337]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe [2009-12-09 126392]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2009-10-14 583640]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-14 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {13149882-F480-4F6B-8C6A-0764F75B99ED} - hxxp://plug-in.reallusion.com/CrazyTalk4.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????d??l/?????;? ;?X ;?? ;??

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\DllHost.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-03-28 16:52:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 21:52

Pre-Run: 58,548,441,088 bytes free
Post-Run: 83,147,644,928 bytes free

- - End Of File - - 43D1FBFC50392E87B932682F7EC8C8C9

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:39 AM

Posted 29 March 2010 - 05:35 AM

Hi,

Looking better, just a few things that need attention there.

Open your Control Panel, click Uninstall Program under Programs and Features, and remove this old version of Java:
Java™ 6 Update 3

Next, click Start >> Run (or Windows key + R), then copy & paste this line into the Run box, and hit enter:
cmd /c "del c:\users\admin\AppData\Local\Aqovaripec.dat"

Do the same for this line:
cmd /c "del c:\users\admin\AppData\Local\Fbilesicog.bin"


Now I'd like a second opinion, to make sure there isn't anything left.

You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on:
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Please also post a new DDS log, and let me know how your computer is running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 thebook99

thebook99
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 29 March 2010 - 04:47 PM

I havent had any redirects since running the ComboFix, so its been working great...

check these, and let me know if I need to do anything else...thanks.

here's the ESET log...

C:\Program Files\Adobe\Acrobat 9.0\Adobe Acrobat 9.0 Pro Extended Patch.exe probably a variant of Win32/HackTool.Patcher.A application
C:\Qoobox\Quarantine\C\Windows\System32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan


and here's the DDS.txt...

DDS (Ver_10-03-17.01) - NTFSx86
Run by admin at 16:41:29.71 on Mon 03/29/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.833 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Microsoft SQL Server\MSSQL$SJMSYSTEMS\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Norton AntiVirus\Engine\17.5.0.127\ccSvcHst.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\VYTEX2I6\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.5.0.127\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] \HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {13149882-F480-4F6B-8C6A-0764F75B99ED} - hxxp://plug-in.reallusion.com/CrazyTalk4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.tscmaps.com/shared/viewer/mgaxctrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1105000.07f\symds.sys [2010-3-14 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1105000.07f\symefa.sys [2010-3-14 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1105000.07f\cchpx86.sys [2010-3-14 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.1.0.19\definitions\ipsdefs\20100326.001\IDSvix86.sys [2010-3-26 343088]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-4-9 20352]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1105000.07f\ironx86.sys [2010-3-14 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1105000.07f\symtdiv.sys [2010-3-14 340016]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 MSSQL$SJMSYSTEMS;MSSQL$SJMSYSTEMS;c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlservr.exe -ssjmsystems --> c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlservr.exe -sSJMSYSTEMS [?]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.5.0.127\ccsvchst.exe [2010-3-14 126392]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-1-21 583640]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-13 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-4-9 937984]
S3 SQLAgent$SJMSYSTEMS;SQLAgent$SJMSYSTEMS;c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlagent.exe -i sjmsystems --> c:\program files\microsoft sql server\mssql$sjmsystems\binn\sqlagent.EXE -i SJMSYSTEMS [?]

=============== Created Last 30 ================

2010-03-29 21:40:50 0 ----a-w- c:\users\admin\defogger_reenable
2010-03-29 15:15:59 0 d-----w- c:\program files\ESET
2010-03-29 03:19:28 86683 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-03-29 03:19:24 0 d-----w- c:\program files\AoA Audio Extractor
2010-03-28 22:19:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2010-03-28 22:18:28 0 d-----w- c:\program files\Synaptics
2010-03-28 21:51:25 0 d-sh--w- C:\$RECYCLE.BIN
2010-03-28 21:21:17 98816 ----a-w- c:\windows\sed.exe
2010-03-28 21:21:17 77312 ----a-w- c:\windows\MBR.exe
2010-03-28 21:21:17 261632 ----a-w- c:\windows\PEV.exe
2010-03-28 21:21:17 161792 ----a-w- c:\windows\SWREG.exe
2010-03-26 04:10:44 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-19 22:05:41 0 d-----w- c:\program files\Autodesk
2010-03-17 22:38:50 0 d-----w- C:\BSIEform
2010-03-16 03:45:38 0 d-----w- c:\program files\Windows Installer Clean Up
2010-03-16 03:45:08 0 d-----w- c:\program files\MSECACHE
2010-03-14 16:19:45 262354901 ----a-w- c:\windows\MEMORY.DMP
2010-03-14 16:15:32 65536 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TM.blf
2010-03-14 16:15:32 524288 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TMContainer00000000000000000002.regtrans-ms
2010-03-14 16:15:32 524288 --sha-w- c:\users\admin\NTUSER.DAT{54b11005-2f7c-11df-99d4-001eec3583c3}.TMContainer00000000000000000001.regtrans-ms
2010-03-14 06:50:27 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-14 06:50:26 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-14 06:50:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-13 23:58:11 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-13 23:58:11 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-13 23:58:11 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-13 23:57:37 0 d-----w- c:\windows\system32\drivers\NAV
2010-03-13 23:57:35 0 d-----w- c:\program files\Norton AntiVirus
2010-03-13 23:57:34 0 d-----w- c:\programdata\Norton
2010-03-13 23:57:18 0 d-----w- c:\programdata\NortonInstaller
2010-03-13 23:57:18 0 d-----w- c:\program files\NortonInstaller
2010-03-12 14:30:14 0 d-----w- c:\program files\AVG
2010-03-12 04:02:39 65536 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TM.blf
2010-03-12 04:02:39 524288 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TMContainer00000000000000000002.regtrans-ms
2010-03-12 04:02:39 524288 --sha-w- c:\users\admin\NTUSER.DAT{b06b42cd-2a30-11df-a6f1-001eec3583c3}.TMContainer00000000000000000001.regtrans-ms
2010-03-12 03:49:14 0 d-----w- c:\users\admin\appdata\roaming\Facebook
2010-03-03 19:35:28 0 d-----w- c:\program files\iPod
2010-03-03 19:35:16 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-03-28 23:11:49 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-28 23:11:49 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-28 22:18:18 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-26 14:06:22 385133 ----a-w- c:\windows\system32\GPMicrGP.dll
2010-01-26 14:05:36 1359980 ----a-w- c:\windows\system32\GPDepGP.dll
2010-01-26 14:03:42 229485 ----a-w- c:\windows\system32\GPOFACGP.dll
2010-01-26 14:03:36 319598 ----a-w- c:\windows\system32\GPEFundGP.dll
2010-01-26 14:03:32 3125362 ----a-w- c:\windows\system32\GPInterfaceGP.dll
2010-01-26 14:03:00 802924 ----a-w- c:\windows\system32\GPLibGP.dll
2010-01-26 14:02:52 974958 ----a-w- c:\windows\system32\FillersGP.dll
2010-01-26 14:02:42 36978 ----a-w- c:\windows\system32\GPSignatureGP.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-20 15:31:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-17 02:13:02 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-01 16:44:28 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-02-04 21:31:27 96 --sha-w- c:\windows\system32\MS3F0A.drv
2008-08-08 22:55:47 13 --sh--r- c:\windows\system32\drivers\fbd.sys

============= FINISH: 16:42:27.84 ===============



#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:39 AM

Posted 30 March 2010 - 02:35 AM

Hi,

QUOTE
C:\Program Files\Adobe\Acrobat 9.0\Adobe Acrobat 9.0 Pro Extended Patch.exe probably a variant of Win32/HackTool.Patcher.A application
Cracks/patches and keygens are a great way to get yourself infected. I strongly recommend you remove this and any others that you might have.

Otherwise, logs look good thumbup2.gif

Click Start >> Run, and then type ComboFix /Uninstall and hit enter. You can now delete any other tools I had you download and use, unless you wish to keep them.

Now that your computer is clean again, there's a few things that you should consider to keep it that way.
  • Windows Update
    Keeping Windows up-to-date is crucial to your computer's security. Without the latest security fixes and patches, your computer is a sitting target for Malware to find its way in. Microsoft regularly release free updates to fix security flaws and increase the overall security of Windows.
    Windows XP: Use the Windows Update Site (using Internet Explorer) to download and install updates.
    Windows Vista & 7: Open your Control Panel and click Check for updates (under 'Security') or Windows Update ('Classic View').

  • Security Updates
    You should also make sure you regularly update your AntiVirus and Firewall software. New Malware is being developed all the time, so it is vital to stay up-to-date with the latest protection available.

  • Secure Internet Explorer
    Even if you don't use Internet Explorer, it is important to secure it. Many Microsoft and other third-party software utilize Internet Explorer's functionality for their own Internet related activities (like updating for example), so it is important to keep it secure.

    1. Click Start >> Run, type inetcpl.cpl and then hit Enter
    2. Click on the Security tab, then click once on the Internet icon to highlight it
    3. Click Custom Level button, then make the following changes:
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    4. When all these changes have been made, click on the OK button.
    5. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    6. Press the Apply button and then the OK to exit the Internet Properties page.

  • Extra Protection (optional but recommended)
    Download and install the free version of WinPatrol
    . This program protects your computer from malicious changes in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. WinPatrol supports everything from Windows 98 to Windows 7, and the developer is constantly improving the program, so its an excellent protection program to have on-board.

  • Have a read of this article for more information on how you became infected and how to stay secure:
    How did I get infected?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 thebook99

thebook99
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 30 March 2010 - 04:08 AM

Thanks for all the help and tips.

everythings running good now.

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:39 AM

Posted 30 March 2010 - 04:11 AM

Glad we could help thumbup2.gif

This topic is now closed, if you require it re-opened, please send me a PM. Everyone else, please start a new topic.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users