Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hubby's laptop infected


  • This topic is locked This topic is locked
21 replies to this topic

#1 EdithBunker

EdithBunker

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 15 June 2011 - 04:50 PM

This is about my husband's laptop, with Windows 7 I am somewaht unknowledgable of Win 7, as my comp still has XP. He's been infected with whatever I got last week-- and had help here to fix. But mine was a bit easier, because I'm doing a system restore with the cds, so lost programs won't be an issue for me.

His seems to have lost a lot more than mine. First we get the pop up titles Windows 7 restore. It has dire warnings about system failures, (hard drive error, RAM error, several things all with warnings that this is critical and data is about to be lost, and that the hard drive is about to fail.

Task manager is disabled, All programs under the start menu is empty, desktop is lost, I can't even get to the programs via going to my computer>C: Drive> Program files. It says they're empty. However it still shows all programs as still there when I pull up "add/remove"

I tried safe mode and still can't get to the AV to run it.

I'm not sure if I can get a browser open or not on his computer. (with mine, I got the unhide utility and was able to get to my programs) His AV is Avast, but we can have Norton for free from our Comcast provider--that was how I was able to somewhat recover my computer so I could come here for help, but with his, I don't know what it is still capable of. We're a lot more concerned about his computer since that is where we do our banking and stuff.


I can type out word for word what the warning pop ups say if you need to know---this time I wrote it all out.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 23 June 2011 - 10:33 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 25 June 2011 - 08:13 PM

Whoops! almost missed this! I got so much eamil, it was on the second page! We've been celebrating younger son's B-day and I haven't been on much. I will try to get to the instructions tomorrow or Monday. (tomorrow is a fairly full day, too)

Hubby's 'puter still needs help--I think I got the virus, I was able to uninstall Avast and install Norton, but a lot of things still aren't right. Please don't close this down-- I will post back here tomorrow night or Monday.. Thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 26 June 2011 - 03:46 AM

No problem! Thank you for letting me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 27 June 2011 - 10:49 AM

elise025, Thank you so much for helping me. I'm not sure i did this correctly. If I have script blocking on this computer, I don't know it. In your "please Note" where you say if I have script blocking, you say to disconnect from the internet to run the tool. I wondered if that meant only if I have script blocking enabled, or if i was supposed to disconnect from the internet to run the tool, regardless of whether I had script blocking enabled. (Sorry, I'm a blond, too! heehee--that's why I chose the screen name Edith Bunker-- could you imagine HER on a 'puter? lol)

If I do have to re-run this and disconnect from the internet, let me know.
The instructions after the scan said there is a zip file also, that i might have to post--do i post it as a zip, or open it here on the computer, then copy and paste?



Since I had originally posted asking for help, while waiting for a reply, I did a few things, so here's an update on the status of this computer.
This computer had gotten the "windows restore" virus thingy. We had dire warning popups saying we had hard drive errors, RAM errors, and we were at risk of losing our data, etc. I had gotten the same thing on my windows XP computer, and a friend had uninstalled my avast AV, and installed Norton. and Norton got it right away. So i did the same thing on this computer. And Norton got it on the first scan. I also ran the unhide tool. So now, as far as i can tell, we have no virus, but the aftereffects are still here.

I also ran the unhide tool.

So here's the results: No desktop, the "all programs" in the start menu are all empty, and I'm not sure if the task manager is working properly--although I really don't know Windows 7, so that might be okay. (When i do control alt delete, the box doesn't come up like on XP, instead, it goes to a blue screen offering choices of Lock this comptuer, log off, change a password, or swithc user)





.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Run by Pat at 11:22:47 on 2011-06-27
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3002.1918 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - C:\Program Files (x86)\TV_Bar_1.2\tbTV_B.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - C:\Program Files (x86)\TV_Bar_1.2\tbTV_B.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - C:\Program Files (x86)\TV_Bar_1.2\tbTV_B.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
mRun: [<NO NAME>]
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paymentsystems.webex.com/client/T27LB/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E995DFE-E78A-4744-8946-004960F6784B} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E995DFE-E78A-4744-8946-004960F6784B}\135325A41353D20534F5E4564777F627B6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E995DFE-E78A-4744-8946-004960F6784B}\261637562616C6C6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E995DFE-E78A-4744-8946-004960F6784B}\74271636563486160756C6348657273686 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{2E995DFE-E78A-4744-8946-004960F6784B}\945435 : DhcpNameServer = 205.171.3.65 205.171.2.65
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - C:\Program Files (x86)\TV_Bar_1.2\tbTV_B.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: TV Bar 1.2 Toolbar: {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - C:\Program Files (x86)\TV_Bar_1.2\tbTV_B.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
mRun-x64: [(Default)]
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\8laiyduo.default\
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Pat\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Users\Pat\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll
FF - plugin: C:\Users\Pat\AppData\Roaming\NeuLion\AdaptivePlugin\npadaptiveplugin_1_6_5_7131.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\Pat\AppData\Roaming\Move Networks
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [2011-6-16 1143416]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110624.050\IDSviA64.sys [2011-6-25 488056]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [2011-6-21 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-6-20 136824]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-11-5 225280]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 ePowerSvc;Acer ePower Service;C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-11-5 844320]
S4 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-3 136176]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-9-3 136176]
S4 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-6-17 50432]
S4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-6-17 144640]
S4 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-5 240160]
.
=============== File Associations ===============
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
VBEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
VBSFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-21 13:28:55 382584 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symnets.sys
2011-06-21 13:28:54 912504 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symefa64.sys
2011-06-21 13:28:54 744568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtsp64.sys
2011-06-21 13:28:54 450680 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\symds64.sys
2011-06-21 13:28:54 40568 ----a-w- C:\Windows\System32\drivers\N360x64\0501000.01D\srtspx64.sys
2011-06-21 13:28:54 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0501000.01D\ironx64.sys
2011-06-21 13:28:33 -------- d-----w- C:\Windows\System32\drivers\N360x64\0501000.01D
2011-06-20 17:54:21 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-06-20 17:54:21 -------- d-----w- C:\Program Files\Symantec
2011-06-20 17:54:21 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-06-20 17:53:54 -------- d-----w- C:\Windows\System32\drivers\N360x64
2011-06-20 17:53:53 -------- d-----w- C:\Program Files (x86)\Norton Security Suite
2011-06-20 17:53:45 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-06-20 14:12:56 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-06-20 14:11:02 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-06-14 16:53:38 392192 ----a-w- C:\ProgramData\42983160.exe
2011-06-14 15:21:34 -------- d-----w- C:\Windows\pss
2011-06-14 12:36:01 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{34009ADA-D06A-42F0-81AF-FE07B25A15B2}\mpengine.dll
2011-06-13 22:27:19 -------- d-----w- C:\ProgramData\VirtualizedApplications
2011-06-13 22:13:07 -------- d-----w- C:\ProgramData\Virtualized Applications
2011-06-13 21:57:55 -------- d-----w- C:\Users\Pat\AppData\Local\SoftGrid Client
2011-06-13 21:57:54 -------- d-----w- C:\Users\Pat\AppData\Roaming\SoftGrid Client
2011-06-13 21:55:56 -------- d-----w- C:\Users\Pat\AppData\Roaming\TP
2011-06-13 21:55:19 1628560 ----a-w- C:\Users\Pat\X16-42918_YWRPV-7BF6R-XXVGP-KVJMJ-7P79D.exe
.
==================== Find3M ====================
.
2011-05-28 03:25:16 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 03:07:01 3133952 ----a-w- C:\Windows\System32\win32k.sys
2011-05-28 03:00:02 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-17 20:02:58 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-04 02:51:08 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-05-04 02:51:08 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-05-04 02:51:05 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-05-03 05:21:22 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-05-03 04:50:29 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-04-29 03:13:10 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:12:54 399872 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:12:37 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:57:40 102400 ----a-w- C:\Windows\System32\drivers\dfsc.sys
2011-04-25 05:32:22 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:44:02 499712 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-22 20:18:28 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 20:14:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-04-22 19:31:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-22 19:31:26 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-04-22 18:49:57 482816 ----a-w- C:\Windows\System32\html.iec
2011-04-22 18:23:59 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
.
============= FINISH: 11:24:05.24 ===============

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 27 June 2011 - 11:30 AM

Can you please download the latest version of unhide.exe and see if that restores your files?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 29 June 2011 - 09:11 PM

Sorry it took so long--I don't get on the computer some days, then i have a lot of emails to catch up on, so didn't get to this. The linkj for the unhide in your posts didn't work--I got a 404 not found. I had used unhide and had downloaded it about a week ago, and we did get the shortcuts back, they just don't connect to the program--it says they're "empty". We can get to the program "the long way", by opening computer>program files>(the program we want)> then find the launch shortcut in that file, but most of the start menu programs shortcuts are empty. I read that if we haven't cleaned out our temp files, we might get them back there, but I don't know how.

The TDSS rootkit removing tool, I might have done wrong, not sure. I went to the link, dl the zip file, opened it, and the ran it. There was no option to dl it to the desktop. This has Windows 7 and i am unfamiliar with it, so i may have missed something. The scan came back clean, nothing found.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 30 June 2011 - 07:51 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 03 July 2011 - 08:03 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 03 July 2011 - 05:17 PM

Hi, I'm still here! I don't have access to hubby's computer tonight (Or for the last couple nights), it gets used as a dvd player for hubby and sons to watch movies on at night. I will get it tomorrow am and run the combofix, and post the results then. (THis ends up being a slower process because of me. I'm sorry about that--I supposed if we were using them for work or something, I'd get on it quicker)

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 04 July 2011 - 02:52 AM

Okay, thank you for letting me know!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 04 July 2011 - 09:47 AM

Here's the combo fix file:



ComboFix 11-07-03.04 - Pat 07/04/2011 10:31:45.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3002.1945 [GMT -4:00]
Running from: c:\users\Pat\Downloads\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\42983160.exe
c:\users\Pat\AppData\Roaming\PriceGong
c:\users\Pat\AppData\Roaming\PriceGong\Data\1.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\a.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\b.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\c.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\d.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\e.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\f.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\g.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\h.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\i.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\J.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\k.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\l.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\m.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\mru.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\n.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\o.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\p.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\q.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\r.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\s.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\t.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\u.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\v.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\w.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\x.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\y.xml
c:\users\Pat\AppData\Roaming\PriceGong\Data\z.xml
c:\users\Pat\X16-42918_YWRPV-7BF6R-XXVGP-KVJMJ-7P79D.exe
c:\windows\SysWow64\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-04 to 2011-07-04 )))))))))))))))))))))))))))))))
.
.
2011-07-04 14:37 . 2011-07-04 14:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-04 14:25 . 2011-07-04 14:29 -------- d-----w- C:\32788R22FWJFW
2011-06-30 18:50 . 2011-06-30 18:50 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-06-29 01:06 . 2011-05-24 11:21 404992 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 01:06 . 2011-05-24 10:34 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-06-29 01:06 . 2011-05-24 10:34 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-06-29 01:06 . 2011-05-24 10:34 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-06-29 01:06 . 2011-05-24 10:32 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2011-06-20 17:54 . 2011-06-21 13:29 -------- d-----w- c:\program files\Symantec
2011-06-20 17:54 . 2011-06-21 13:28 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-06-20 17:54 . 2011-06-20 17:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-06-20 17:53 . 2011-06-22 01:39 -------- d-----w- c:\windows\system32\drivers\N360x64
2011-06-20 17:53 . 2011-06-20 17:53 -------- d-----w- c:\program files (x86)\Norton Security Suite
2011-06-20 17:53 . 2011-06-20 17:53 -------- d-----w- c:\program files (x86)\NortonInstaller
2011-06-20 14:12 . 2011-06-20 18:07 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2011-06-20 14:11 . 2010-08-21 04:59 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-06-14 12:36 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{34009ADA-D06A-42F0-81AF-FE07B25A15B2}\mpengine.dll
2011-06-13 22:27 . 2011-06-14 10:58 -------- d-----w- c:\programdata\VirtualizedApplications
2011-06-13 22:13 . 2011-06-14 11:37 -------- d-----w- c:\programdata\Virtualized Applications
2011-06-13 21:57 . 2011-06-14 10:47 -------- d-----w- c:\users\Pat\AppData\Local\SoftGrid Client
2011-06-13 21:57 . 2011-06-14 13:12 -------- d-----w- c:\users\Pat\AppData\Roaming\SoftGrid Client
2011-06-13 21:55 . 2011-06-14 11:37 -------- d-----w- c:\users\Pat\AppData\Roaming\TP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-17 20:02 . 2011-05-17 20:02 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-10 12:10 . 2011-02-12 11:23 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-13 12:46 . 2010-05-19 01:16 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-04-13 12:46 . 2010-05-19 01:15 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-04-09 06:58 . 2011-05-14 00:18 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 06:45 . 2011-05-11 18:34 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 06:13 . 2011-05-11 18:34 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13 . 2011-05-11 18:34 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-14 00:18 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-04-06 20:26 . 2011-04-06 20:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:26 . 2011-04-06 20:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{70a38074-97a6-45da-b1a1-34b0a34dc3ff}"= "c:\program files (x86)\TV_Bar_1.2\tbTV_B.dll" [2010-06-13 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{70a38074-97a6-45da-b1a1-34b0a34dc3ff}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{70a38074-97a6-45da-b1a1-34b0a34dc3ff}]
2010-06-13 23:10 2734688 ----a-w- c:\program files (x86)\TV_Bar_1.2\tbTV_B.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{70a38074-97a6-45da-b1a1-34b0a34dc3ff}"= "c:\program files (x86)\TV_Bar_1.2\tbTV_B.dll" [2010-06-13 2734688]
.
[HKEY_CLASSES_ROOT\clsid\{70a38074-97a6-45da-b1a1-34b0a34dc3ff}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 225280]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ePowerSvc;Acer ePower Service;c:\program files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-09-30 844320]
R4 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-03 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-03 136176]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-18 50432]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-18 144640]
R4 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110616.003\BHDrvx64.sys [2011-06-16 1143416]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110701.051\IDSvia64.sys [2011-06-03 488056]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-06-19 136824]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-03 15:41]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-03 15:41]
.
2011-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2948187036-1470245140-3363607918-1000Core.job
- c:\users\Pat\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-11 23:46]
.
2011-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2948187036-1470245140-3363607918-1000UA.job
- c:\users\Pat\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-11 23:46]
.
2011-06-30 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2011-05-25 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273603108735l0414z1k5r44n20240
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\8laiyduo.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Pat\AppData\Roaming\Move Networks
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn
.
.
------- File Associations -------
.
JSEFile=%SystemRoot%\SysWow64\CScript.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{70A38074-97A6-45DA-B1A1-34B0A34DC3FF} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Completion time: 2011-07-04 10:44:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-04 14:44
.
Pre-Run: 187,527,806,976 bytes free
Post-Run: 187,077,259,264 bytes free
.
- - End Of File - - 69E1D6860E2E0AB9BF1B577547304135

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 04 July 2011 - 02:45 PM

Hi, that looks better. How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 EdithBunker

EdithBunker
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:10:00 AM

Posted 04 July 2011 - 07:40 PM

My hubby says it's running smoothly, he thinks it might even have more speed, but we still don't know how to get the shortcuts in his start menu to not show as "empty". (Start>all programs>click on most anything, it'll say "empty", and the shortcut doesn't work. Frustrating!

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:00 PM

Posted 05 July 2011 - 02:43 AM

I'm glad to hear things are running fine now. :)
Can you please rerun DDS and post me attach.txt?

If unhide.exe did not bring back your shortcuts, unfortunately this means you'll have to create them manually. This is not very difficult but can be a bit an annoying task.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users