Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Agent.Gen & Google keeps redirecting


  • This topic is locked This topic is locked
10 replies to this topic

#1 cavaco

cavaco

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 12 April 2011 - 11:34 PM

Hi,

First of all thank you so much for having such an awesome site where people can get help. I'll try to be as detailed as I can.


I have been dealing with infections since early last year. It all started with an bunch of pop-ups around April(Can't quite recall the name of the Trojan).

The first time I got infected I used the System Restore Tool in Safe Mode to roll back to a previous restore point. There were about 4 restore points available and I went back 2. The issue went away and everything seemed fine but the pop-ups came back a few weeks later.

I booted into safe mode in order to run System Restore but and time I only had 2 restore points available. I rolled back to the earliest one. The issue came back a few weeks later.

This time when I booted into safe mode and found out that I had no restore points to go to. It just said "none available". This was about June of last year


I then used Malwarebytes to remove everything that it could find. It found a lot of infections and quarantine and removed them all. The pop-ups went away... but came back

Now I'm on a never ending cycle of removing the infections using Malwarebytes and the issue coming back again after a few weeks.

I tried to change Malwarebytes for a free version of Trend Micro House Call but the issue comes back just the same



One thing that has always been constant since that moment in June (when I ran out of restore points) is that I have been unable to browse the internet using Google Chrome. Also every time I do a Google search using IE or Firefox, I click on the search result and get redirected to an advertisement page.

I've been managing the situation by... Doing a Google search, then clicking on the Google link to the cached outdated version of one of the search results, then refreshing the page. Also copy & pasting the URL of the result pages.



Lately I decided to compare the many Malwarebytes log and noticed that though many of the infections have different names, It always seems to find one called "Trojan.Agent"

The latest one was called "Trojan.Agent.Gen". Malwarebytes claims to have killed it. I don't have any pop-ups at the moment but I still get redirected on Google and I know it is just a matter of time....



Detail: When I attempt to perform a Windows update I get an error of "Windows can't check for updates". Most Recent check for updates is dated on 6/10/2010.

Windows Vista Home Premium
Service Pack 1
32-bit

Any help is greatly appreciated

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Caue at 22:03:56.20 on Tue 04/12/2011
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3034.1470 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\ThpSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\Program Files\SupportSpace\Support Platform\supportspace_tools.exe
C:\Program Files\SupportSpace\Support Platform\SupportCenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Caue\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.att.net
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title = I love Jehnny!!
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [AdobeBridge]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [cfFncEnabler.exe] "c:\program files\toshiba\configfree\cfFncEnabler.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosSENotify.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TPCHWMsg] %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mExplorerRun: [nr5n60] c:\users\caue\appdata\local\temp\5kiqv.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: bleepingcomputer.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 173.192.153.178 www.123.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\caue\appdata\roaming\mozilla\firefox\profiles\q86mcfsy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\caue\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-3-25 30272]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 13336]
R1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-6-1 14856]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-12-7 45056]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-12-7 38400]
R2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\supportspace\support platform\supportspace_tools.exe [2009-2-15 465960]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-24 176128]
R2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 73728]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-3-21 12920]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-12-7 22272]
R3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserTSH.sys [2009-3-19 104448]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-11-3 282112]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-11-3 51712]
S3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterTSH.sys [2009-3-19 5248]
S3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetTSH.sys [2009-3-19 115200]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 camsvc;TOSHIBA Web Camera Service;c:\program files\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-12-7 20544]
S4 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
S4 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S4 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2009-3-19 345336]
S4 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-2-19 57344]
S4 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-1-19 62776]
S4 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-4-9 656752]
.
=============== Created Last 30 ================
.
2011-04-13 01:27:29 229786 --sh--w- c:\program files\mozilla firefox\null0.09428665617284782.exe
2011-04-13 00:56:03 -------- d-----w- c:\program files\SupportSpace
2011-03-22 23:18:39 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-03-22 23:18:00 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-03-22 23:18:00 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-03-22 23:17:35 -------- d-----w- c:\program files\common files\Research In Motion
2011-03-22 23:17:34 -------- d-----w- c:\program files\Research In Motion
.
==================== Find3M ====================
.
2011-01-25 23:41:41 72080 ----a-w- c:\users\caue\g2mdlhlpx.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: TOSHIBA_ rev.FG01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll >>UNKNOWN [0x87646EC5]<<
c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x84edc872; SUB DWORD [EBP-0x4], 0x84edc12e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x824D105F] -> \Device\Harddisk0\DR0[0x86E89820]
3 CLASSPNP[0x83317745] -> ntkrnlpa!IofCallDriver[0x824D105F] -> \Device\THPDRV1[0x86D868E8]
5 thpdrv[0x8AB9B961] -> ntkrnlpa!IofCallDriver[0x824D105F] -> [0x85C9C028]
[0x873364F8] -> IRP_MJ_CREATE -> 0x87646EC5
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH AX; POP ES; PUSH AX; POP DS; STI ; JMP 0x11; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK1655GSX_______________________FG011M__#4&3ac84c4e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x87646AEA
user & kernel MBR OK
copy of MBR has been found in sector 5 !
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:04:49.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 16 April 2011 - 02:27 PM

:welcome: to BC.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 cavaco

cavaco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 16 April 2011 - 07:07 PM

Hi heir,

here's the text from C:\ComboFix.txt
----------------------------------------

ComboFix 11-04-15.06 - Caue 04/16/2011 18:38:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3034.1976 [GMT -5:00]
Running from: c:\users\Caue\Desktop\Clean your PC\Bleeping Computer\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Caue\Documents\registrybackup.reg
c:\users\Caue\g2mdlhlpx.exe
c:\windows\cmd.ini
c:\windows\Fonts\mlog
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\Install.txt
c:\windows\system32\User.ini
.
Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
\\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Agent was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-16 23:49 . 2011-04-16 23:50 -------- d-----w- c:\users\Caue\AppData\Local\temp
2011-04-16 23:49 . 2011-04-16 23:49 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-16 23:49 . 2011-04-16 23:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-14 02:46 . 2011-04-14 02:46 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2011-04-14 02:46 . 2011-04-14 02:46 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-04-13 00:56 . 2011-04-13 00:56 -------- d-----w- c:\program files\SupportSpace
2011-03-22 23:18 . 2009-01-09 22:18 27136 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-03-22 23:18 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2011-03-22 23:18 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2011-03-22 23:17 . 2011-03-22 23:17 -------- d-----w- c:\program files\Common Files\Research In Motion
2011-03-22 23:17 . 2011-03-22 23:17 -------- d-----w- c:\program files\Research In Motion
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-04-03 233472]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-06 7440928]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 1011712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-02 1283384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Caue^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Caue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-04-10 22:54 200704 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2007-01-09 22:23 191552 ------w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
2009-04-10 22:54 143360 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 01:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1427779664-2101384289-3043044719-1000]
"EnableNotificationsRef"=dword:00000002
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys [x]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2009-11-04 282112]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2009-11-04 51712]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\DRIVERS\qcfilterTSH.sys [2009-03-19 5248]
R3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\DRIVERS\qcusbnetTSH.sys [2009-03-19 115200]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R4 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
R4 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-11-28 589824]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-03-19 345336]
R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-02 62776]
R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-10 656752]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-03-26 30272]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 13336]
S1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-04-23 14856]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-02-12 45056]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-01-14 38400]
S2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [2009-02-15 465960]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-24 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]
S3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbserTSH.sys [2009-03-19 104448]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ahpjmvz
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title = I love Jehnny!!
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\www
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
FF - ProfilePath - c:\users\Caue\AppData\Roaming\Mozilla\Firefox\Profiles\q86mcfsy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Teco - %ProgramFiles%\TOSHIBA\TECO\Teco.exe
HKLM-Run-SmartFaceVWatcher - %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TUSBSleepChargeSrv - %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
HKLM-Run-TPCHWMsg - %ProgramFiles%\TOSHIBA\TPHM\TPCHWMsg.exe
MSConfigStartUp-Google Update - c:\users\Caue\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-Trend Micro Titanium - c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 18:50
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ahpjmvz]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16 18:53:03
ComboFix-quarantined-files.txt 2011-04-16 23:53
.
Pre-Run: 32,289,697,792 bytes free
Post-Run: 37,212,155,904 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 890DE929011A7DD50A3FB502A8FEAA44

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 18 April 2011 - 01:38 AM

Step 1.
Uninstall unwanted software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

µTorrent
Ares 2.1.1


Optional removals
µTorrent, Ares and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.
It's up to you if you want to remove the above programs, however I recommend you do.


Step 2.
CKScanner:

Download CKScanner from here

Important : Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Step 3.
Things I would like to see in your reply:

  • Which softwares were uninistalled in step 1.
  • The content of CKFiles.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 cavaco

cavaco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 21 April 2011 - 10:38 PM

1. I uninstalled both Ares and uTorrent

2. results from the CkScanner Tool

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 22 April 2011 - 06:11 AM

Have you disabled UAC on purpose?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Dirlook::
c:\users\Caue\AppData\Local\temp
c:\users\Guest\AppData\Local\temp
c:\users\Default\AppData\Local\temp

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


How is your computer running at the moment?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 cavaco

cavaco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 24 April 2011 - 12:32 PM

I did disable UAC on purpose (It drives me crazy :P)

Ever since I ran Combofix it for the first time the computer is running great. There has been no more redirecting on Google and Windows was able to install all the updates that it couldn't do before. It updated all the way up to Service Pack 2 and also installed a Microsoft Security Essentials which seems to be a virus scanner.

here's the latest results after following the last steps you requested

------------------------------------------------
ComboFix 11-04-23.02 - Caue 04/24/2011 12:14:29.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1652 [GMT -5:00]
Running from: c:\users\Caue\Desktop\Clean your PC\Bleeping Computer\ComboFix.exe
Command switches used :: c:\users\Caue\Desktop\Clean your PC\Bleeping Computer\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Help
c:\program files\Common Files\Help\_updated.js
c:\program files\Common Files\Help\qnue.chm
c:\program files\Common Files\Help\qnue.lif
c:\program files\Common Files\Help\qnue.lt3
c:\program files\Common Files\Help\qnue.rul
c:\program files\Common Files\Help\quicken.chm
c:\program files\Common Files\Help\quicken.lif
c:\program files\Common Files\Help\Quicken.lt3
c:\program files\Common Files\Help\Quicken.rul
c:\program files\Common Files\Help\quickenProject.lt3
c:\program files\Common Files\Help\quickenProject.rul
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 17:20 . 2011-04-24 17:20 -------- d-----w- c:\users\Caue\AppData\Local\temp
2011-04-24 17:20 . 2011-04-24 17:20 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-24 17:20 . 2011-04-24 17:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-24 17:01 . 2011-04-24 17:01 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3C8546D1-3F22-4AF9-A5E8-1979B4ED7372}\MpKsl6bba1bb2.sys
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\ca-ES
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\eu-ES
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\vi-VN
2011-04-23 21:40 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3C8546D1-3F22-4AF9-A5E8-1979B4ED7372}\mpengine.dll
2011-04-22 02:37 . 2011-04-22 02:37 -------- d-----w- c:\windows\system32\EventProviders
2011-04-20 03:42 . 2009-04-11 06:28 677376 ----a-w- c:\windows\system32\imapi2fs.dll
2011-04-20 03:41 . 2009-04-11 06:28 663552 ----a-w- c:\program files\Common Files\System\Ole DB\sqloledb.dll
2011-04-20 03:40 . 2009-04-11 06:28 99328 ----a-w- c:\program files\Windows Media Player\wmpband.dll
2011-04-20 03:39 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2011-04-20 03:35 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-17 03:51 . 2011-04-17 03:51 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{81D06683-9850-48F0-B27D-BB6DEBF76B6C}\gapaengine.dll
2011-04-17 03:43 . 2011-04-17 03:43 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-17 03:43 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-17 03:34 . 2011-04-17 03:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-04-17 03:15 . 2011-04-20 21:36 -------- d-----w- c:\windows\system32\MpEngineStore
2011-04-17 02:57 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-17 02:57 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-17 02:57 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-17 02:57 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-17 02:57 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-04-17 02:54 . 2010-06-17 16:16 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-04-17 02:54 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-04-17 02:54 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-04-17 02:54 . 2010-06-16 16:39 912776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-17 02:54 . 2010-06-16 14:01 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-04-17 02:54 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2011-04-17 02:54 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-04-17 02:54 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-04-17 02:54 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-04-17 02:54 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-04-17 02:54 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2011-04-17 02:54 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-04-17 02:53 . 2011-03-03 10:49 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-17 02:31 . 2009-03-08 11:33 18944 ----a-w- c:\windows\system32\corpol.dll
2011-04-17 02:31 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2011-04-17 02:31 . 2009-03-08 11:31 34816 ----a-w- c:\windows\system32\imgutil.dll
2011-04-17 02:31 . 2009-03-08 11:31 48128 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-17 02:31 . 2009-03-08 11:30 66560 ----a-w- c:\windows\system32\tdc.ocx
2011-04-17 02:31 . 2009-03-08 11:22 156160 ----a-w- c:\windows\system32\msls31.dll
2011-04-17 02:29 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-04-17 00:10 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-04-14 02:46 . 2011-04-14 02:46 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2011-04-14 02:46 . 2011-04-14 02:46 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-04-13 00:56 . 2011-04-13 00:56 -------- d-----w- c:\program files\SupportSpace
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Caue\AppData\Local\temp ----
.
2011-04-24 04:03 . 2011-04-24 04:03 2832544 ----a-w- c:\users\Caue\AppData\Local\temp\F363.dir\InstallFlashPlayer.exe
2011-04-24 04:03 . 2011-04-24 04:03 0 ----a-w- c:\users\Caue\AppData\Local\temp\F363.tmp
2011-04-22 02:41 . 2011-04-22 02:41 0 ----a-w- c:\users\Caue\AppData\Local\temp\uttA6C.tmp
2011-04-22 02:41 . 2011-04-22 02:41 53 ----a-w- c:\users\Caue\AppData\Local\temp\uttA6C.tmp.bat
2011-04-17 03:09 . 2011-04-17 03:09 842602 ----a-w- c:\users\Caue\AppData\Local\temp\Microsoft .NET Framework 3.5-KB2416473_20110417_030950858-Msi0.txt
2011-04-17 03:09 . 2011-04-17 03:09 85668 ----a-w- c:\users\Caue\AppData\Local\temp\Microsoft .NET Framework 3.5-KB2416473_20110417_030950858.html
2011-04-17 03:08 . 2011-04-20 03:47 1494580 ----a-w- c:\users\Caue\AppData\Local\temp\SilverlightMSI.log
2011-04-17 03:08 . 2011-04-20 03:47 2542 ----a-w- c:\users\Caue\AppData\Local\temp\Silverlight0.log
2011-04-17 03:04 . 2011-04-17 03:06 3839384 ----a-w- c:\users\Caue\AppData\Local\temp\KB2446708_20110416_220412011-Microsoft .NET Framework 4 Client Profile-MSP0.txt
2011-04-17 03:04 . 2011-04-17 03:06 56392 ----a-w- c:\users\Caue\AppData\Local\temp\KB2446708_20110416_220412011.html
2011-04-17 03:04 . 2011-04-17 03:09 6427 ----a-w- c:\users\Caue\AppData\Local\temp\dd_clwireg.txt
2011-04-17 00:29 . 2011-04-17 00:29 134 ----a-w- c:\users\Caue\AppData\Local\temp\306682.od
2011-04-17 00:29 . 2011-04-17 00:29 0 ----a-w- c:\users\Caue\AppData\Local\temp\CVRAD10.tmp.cvr
2011-04-17 00:15 . 2011-04-17 00:17 3605650 ----a-w- c:\users\Caue\AppData\Local\temp\Microsoft .NET Framework 4 Client Profile Setup_20110416_191528514-MSI_netfx_Core_x86.msi.txt
2011-04-17 00:15 . 2011-04-17 00:17 660 ----a-w- c:\users\Caue\AppData\Local\temp\dd_SetupUtility.txt
2011-04-17 00:15 . 2011-04-17 00:17 581104 ----a-w- c:\users\Caue\AppData\Local\temp\Microsoft .NET Framework 4 Client Profile Setup_20110416_191528514.html
2011-04-17 00:15 . 2011-04-17 00:17 1347 ----a-w- c:\users\Caue\AppData\Local\temp\dd_dotNetFx40_Client_x86_decompression_log.txt
2011-04-17 00:04 . 2011-04-24 17:07 20663 ----a-w- c:\users\Caue\AppData\Local\temp\IpAdrSet.log
2011-04-16 23:53 . 2011-04-24 17:12 31832 ----a-w- c:\users\Caue\AppData\Local\temp\Caue.bmp
.
---- Directory of c:\users\Default\AppData\Local\temp ----
.
.
---- Directory of c:\users\Guest\AppData\Local\temp ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-04-03 233472]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-24 7719456]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 1011712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-02 1283384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Caue^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Caue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-04-10 22:54 200704 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2007-01-09 22:23 191552 ------w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
2009-04-10 22:54 143360 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 01:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1427779664-2101384289-3043044719-1000]
"EnableNotificationsRef"=dword:00000002
.
R0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys [x]
R1 tkaqesbl;tkaqesbl;c:\windows\system32\drivers\tkaqesbl.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2009-11-04 282112]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2009-11-04 51712]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\DRIVERS\qcfilterTSH.sys [2009-03-19 5248]
R3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\DRIVERS\qcusbnetTSH.sys [2009-03-19 115200]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R4 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
R4 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
R4 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [2007-11-28 589824]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R4 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-03-19 345336]
R4 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
R4 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-02 62776]
R4 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-10 656752]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-03-26 30272]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 13336]
S1 MpKsl6bba1bb2;MpKsl6bba1bb2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3C8546D1-3F22-4AF9-A5E8-1979B4ED7372}\MpKsl6bba1bb2.sys [2011-04-24 28752]
S1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-04-23 14856]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-02-12 45056]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-01-14 38400]
S2 SupportSpaceHelperService;SupportSpace platform helper service;c:\program files\SupportSpace\Support Platform\supportspace_tools.exe [2009-02-15 465960]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-24 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]
S3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbserTSH.sys [2009-03-19 104448]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL6BBA1BB2
*Deregistered* - ahpjmvz
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title = I love Jehnny!!
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\www
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
FF - ProfilePath - c:\users\Caue\AppData\Roaming\Mozilla\Firefox\Profiles\q86mcfsy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 12:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ahpjmvz]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-24 12:22:47
ComboFix-quarantined-files.txt 2011-04-24 17:22
ComboFix2.txt 2011-04-16 23:53
.
Pre-Run: 33,327,861,760 bytes free
Post-Run: 33,150,246,912 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - E84154D4785F391ABB622B6C275A7AB5

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 24 April 2011 - 12:56 PM

It updated all the way up to Service Pack 2

It isn't advisable to update an infected computer.

Let's take care of some more and do a couple of scans.



Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\drivers\tkaqesbl.sys
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv.exe"
Driver::
tkaqesbl
ahpjmvz
FixCSet::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 2.
Scan with MBAM:


  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with ESET Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


  • The content of the report from MBAM from Step 2.
  • The content of the report from ESET Online Scanner from Step 3.
  • Information on how your computer is running after those steps.

.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 cavaco

cavaco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 24 April 2011 - 08:31 PM

After doing all the steps required I was able to browse without any of the extra tabs that would pop up. Google does not redirect anymore.

I installed Google Chrome again (my favorite browser) and now I'm able to browse the internet using it (I couldn't do it before)



Combofix Log:


ComboFix 11-04-23.02 - Caue 04/24/2011 15:07:51.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1636 [GMT -5:00]
Running from: c:\users\Caue\Desktop\Clean your PC\Bleeping Computer\ComboFix.exe
Command switches used :: c:\users\Caue\Desktop\Clean your PC\Bleeping Computer\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\tkaqesbl.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AHPJMVZ
-------\Service_ahpjmvz
-------\Service_tkaqesbl
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 20:13 . 2011-04-24 20:20 -------- d-----w- c:\users\Caue\AppData\Local\temp
2011-04-24 20:13 . 2011-04-24 20:13 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-04-24 20:13 . 2011-04-24 20:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-24 17:34 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D55895E4-DC03-4F98-9476-2E45F78E8ABC}\mpengine.dll
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\ca-ES
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\eu-ES
2011-04-24 08:19 . 2011-04-24 08:22 -------- d-----w- c:\windows\system32\vi-VN
2011-04-22 02:37 . 2011-04-22 02:37 -------- d-----w- c:\windows\system32\EventProviders
2011-04-20 03:42 . 2009-04-11 06:28 677376 ----a-w- c:\windows\system32\imapi2fs.dll
2011-04-20 03:41 . 2009-04-11 06:28 663552 ----a-w- c:\program files\Common Files\System\Ole DB\sqloledb.dll
2011-04-20 03:40 . 2009-04-11 06:28 99328 ----a-w- c:\program files\Windows Media Player\wmpband.dll
2011-04-20 03:39 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2011-04-20 03:35 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-17 03:51 . 2011-04-17 03:51 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{81D06683-9850-48F0-B27D-BB6DEBF76B6C}\gapaengine.dll
2011-04-17 03:43 . 2011-04-17 03:43 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-17 03:43 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-04-17 03:34 . 2011-04-17 03:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-04-17 03:15 . 2011-04-20 21:36 -------- d-----w- c:\windows\system32\MpEngineStore
2011-04-17 02:57 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-17 02:57 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-17 02:57 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-17 02:57 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-17 02:57 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-04-17 02:54 . 2010-06-17 16:16 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-04-17 02:54 . 2010-08-31 15:44 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-04-17 02:54 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-04-17 02:54 . 2010-06-16 16:39 912776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-17 02:54 . 2010-06-16 14:01 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-04-17 02:54 . 2010-08-20 16:05 867328 ----a-w- c:\windows\system32\wmpmde.dll
2011-04-17 02:54 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2011-04-17 02:54 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-04-17 02:54 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2011-04-17 02:54 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-04-17 02:54 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2011-04-17 02:54 . 2010-04-05 17:02 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-04-17 02:53 . 2011-03-03 10:49 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-17 02:31 . 2009-03-08 11:33 18944 ----a-w- c:\windows\system32\corpol.dll
2011-04-17 02:31 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2011-04-17 02:31 . 2009-03-08 11:31 34816 ----a-w- c:\windows\system32\imgutil.dll
2011-04-17 02:31 . 2009-03-08 11:31 48128 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-17 02:31 . 2009-03-08 11:30 66560 ----a-w- c:\windows\system32\tdc.ocx
2011-04-17 02:31 . 2009-03-08 11:22 156160 ----a-w- c:\windows\system32\msls31.dll
2011-04-17 02:29 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-04-17 00:10 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2011-04-14 02:46 . 2011-04-14 02:46 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2011-04-14 02:46 . 2011-04-14 02:46 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2011-04-14 02:46 . 2011-04-14 02:46 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-04-13 00:56 . 2011-04-13 00:56 -------- d-----w- c:\program files\SupportSpace
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 20:15 . 2010-08-05 02:26 783360 ----a-w- c:\windows\system32\drivers\ahpjmvz.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe autorun" [X]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-04-03 233472]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-24 7719456]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 1011712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-02 1283384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Caue^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Caue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 04:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 08:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-04-10 22:54 200704 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2007-01-09 22:23 191552 ------w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
2009-04-10 22:54 143360 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 01:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 21:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1427779664-2101384289-3043044719-1000]
"EnableNotificationsRef"=dword:00000002
.
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1427779664-2101384289-3043044719-1000Core.job
- c:\users\Caue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 17:35]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1427779664-2101384289-3043044719-1000UA.job
- c:\users\Caue\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mWindow Title = I love Jehnny!!
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bleepingcomputer.com\www
DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://pattcw.att.motive.com/wizlet/DSLActivation/static/installer/ATTInternetInstaller.cab
FF - ProfilePath - c:\users\Caue\AppData\Roaming\Mozilla\Firefox\Profiles\q86mcfsy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-24 15:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\SupportSpace\Support Platform\supportspace_tools.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\TECO\TecoService.exe
c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
c:\windows\system32\WUDFHost.exe
c:\program files\SupportSpace\Support Platform\supportspace_tools.exe
c:\windows\system32\conime.exe
c:\windows\System32\ThpSrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\Apoint2K\HidFind.exe
c:\program files\Apoint2K\Apntex.exe
.
**************************************************************************
.
Completion time: 2011-04-24 15:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-24 20:26
ComboFix2.txt 2011-04-24 17:22
ComboFix3.txt 2011-04-16 23:53
.
Pre-Run: 32,618,070,016 bytes free
Post-Run: 32,190,341,120 bytes free
.
- - End Of File - - 5429402670C53451282EC1BC6D2CC314






/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////






Malware Bytes Logs:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6435

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

4/24/2011 3:45:50 PM
mbam-log-2011-04-24 (15-45-50).txt

Scan type: Quick scan
Objects scanned: 174596
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\ActiveX.DLL (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\drivers\ahpjmvz.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.





/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////





ESET Logs:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=7549a7bd9fc5dc42920e55e4b6b8abeb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-25 01:17:26
# local_time=2011-04-24 08:17:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 0 140296695 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=220902
# found=9
# cleaned=8
# scan_time=5079
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentsc.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinVirutag.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\kbdclass.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\drivers\kbdclass.sys Win32/Olmarik.ZC trojan (error while cleaning) 00000000000000000000000000000000 I
C:\Users\Caue\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\541821cb-1b38cd86 a variant of Win32/Spy.Bancos.NSI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Caue\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3cc664c-463838ce Java/TrojanDownloader.OpenStream.NBS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Caue\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\1baeccbb-727e649c probably a variant of Win32/Agent.BMRBLLF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Caue\Desktop\TEMP\procert60_electronic.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Caue\Documents\Appz\Nero v9.0.9\Nero-9.0.9.4b_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 25 April 2011 - 05:33 AM

Hey there, cavaco !

OK! Well done, your log is clean again! :thumbsup:

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

Second:
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest,

-----

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 25 .
  • Click the JDK 6 Update 25 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u25-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u25-windows-i586.exe and select "Run as an Administrator.")

Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:13 AM

Posted 01 May 2011 - 07:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users