Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/Spayware problems


  • This topic is locked This topic is locked
26 replies to this topic

#1 TJSands

TJSands

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 October 2011 - 01:12 PM

I was referred to this forum by Broni.

Here are my logs:


This is from SecurityCheck:


Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player
Adobe Reader 9.4.2
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
AVG avgwdsvc.exe
AVG avgtray.exe
``````````End of Log````````````



MiniToolBox said:

The ordinal 1108 could not be located in the dynamic link library
WSOCK32.dll.


Followed by:

MiniToolBox by Farbar
Ran by TJ (administrator) on 12-10-2011 at 20:25:52
Windows 7 Home Premium (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:59071

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : TJ-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
Physical Address. . . . . . . . . : 20-7C-8F-3F-79-2F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::353f:1032:5cc6:821d%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, October 12, 2011 7:58:48 PM
Lease Expires . . . . . . . . . . : Wednesday, October 12, 2011 8:58:53 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 320896143
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-26-39-52-60-EB-69-52-54-E4
DNS Servers . . . . . . . . . . . : 24.177.176.38
97.81.22.195
24.178.162.3
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Atheros AR8152 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 60-EB-69-52-54-E4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{4C3B1288-26B4-462D-87A7-046426459806}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:289b:33c9:b8f7:f756(Preferred)
Link-local IPv6 Address . . . . . : fe80::289b:33c9:b8f7:f756%15(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Pinging google.com [74.125.65.104] with 32 bytes of data:
Reply from 74.125.65.104: bytes=32 time=20ms TTL=52
Reply from 74.125.65.104: bytes=32 time=21ms TTL=52

Ping statistics for 74.125.65.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 21ms, Average = 20ms

Pinging yahoo.com [98.139.180.149] with 32 bytes of data:
Reply from 98.139.180.149: bytes=32 time=76ms TTL=46
Reply from 98.139.180.149: bytes=32 time=171ms TTL=46

Ping statistics for 98.139.180.149:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 76ms, Maximum = 171ms, Average = 123ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
13...20 7c 8f 3f 79 2f ......Realtek RTL8188CE Wireless LAN 802.11n PCI-E NIC
11...60 eb 69 52 54 e4 ......Atheros AR8152 PCI-E Fast Ethernet Controller
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.11 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.11 281
192.168.0.11 255.255.255.255 On-link 192.168.0.11 281
192.168.0.255 255.255.255.255 On-link 192.168.0.11 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.11 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.11 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 58 ::/0 On-link
1 306 ::1/128 On-link
15 58 2001::/32 On-link
15 306 2001:0:4137:9e76:289b:33c9:b8f7:f756/128
On-link
13 281 fe80::/64 On-link
15 306 fe80::/64 On-link
15 306 fe80::289b:33c9:b8f7:f756/128
On-link
13 281 fe80::353f:1032:5cc6:821d/128
On-link
1 306 ff00::/8 On-link
15 306 ff00::/8 On-link
13 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 mswsock.dll [File Not found] ()
x64-Catalog5 03 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/12/2011 08:12:15 PM) (Source: Toshiba App Place) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 07:52:36 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 07:52:36 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 04:49:07 PM) (Source: Toshiba App Place) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 02:24:35 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 02:24:34 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 01:35:12 PM) (Source: Toshiba App Place) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 10:23:10 AM) (Source: Application Error) (User: )
Description: Faulting application name: dleacoms.exe, version: 9.2.33.0, time stamp: 0x4b200765
Faulting module name: dleaserv.dll, version: 9.2.33.0, time stamp: 0x4b200879
Exception code: 0xc0000005
Fault offset: 0x00000000000adbdd
Faulting process id: 0x6a8
Faulting application start time: 0xdleacoms.exe0
Faulting application path: dleacoms.exe1
Faulting module path: dleacoms.exe2
Report Id: dleacoms.exe3

Error: (10/12/2011 07:37:08 AM) (Source: Toshiba App Place) (User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/11/2011 10:15:22 PM) (Source: Bonjour Service) (User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)


System errors:
=============
Error: (10/12/2011 08:15:18 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 08:13:06 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 08:13:06 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 08:12:10 PM) (Source: Service Control Manager) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.

Error: (10/12/2011 07:59:05 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 07:59:04 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 07:59:04 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 07:59:04 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 07:58:56 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (10/12/2011 07:58:52 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.


Microsoft Office Sessions:
=========================
Error: (10/12/2011 08:12:15 PM) (Source: Toshiba App Place)(User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 07:52:36 PM) (Source: Bonjour Service)(User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 07:52:36 PM) (Source: Bonjour Service)(User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 04:49:07 PM) (Source: Toshiba App Place)(User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 02:24:35 PM) (Source: Bonjour Service)(User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 02:24:34 PM) (Source: Bonjour Service)(User: )
Description: mDNSCoreMachineSleep: mDNS_Lock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)

Error: (10/12/2011 01:35:12 PM) (Source: Toshiba App Place)(User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/12/2011 10:23:10 AM) (Source: Application Error)(User: )
Description: dleacoms.exe9.2.33.04b200765dleaserv.dll9.2.33.04b200879c000000500000000000adbdd6a801cc88b8ce1ef5d5C:\windows\system32\dleacoms.exeC:\windows\system32\dleaserv.dll174c1a93-f4e6-11e0-a047-60eb695254e4

Error: (10/12/2011 07:37:08 AM) (Source: Toshiba App Place)(User: )
Description: System.ArgumentOutOfRangeException: Number must be either non-negative and less than or equal to Int32.MaxValue or -1.
Parameter name: dueTime
Stack Trace:
at System.Threading.Timer..ctor(TimerCallback callback, Object state, Int32 dueTime, Int32 period)
at System.Timers.Timer.set_Enabled(Boolean value)
at SnappCloud.ActivationReminder.AraClient.PostInit()
at SnappCloud.ActivationReminder.Program.Main(String[] args)

Error: (10/11/2011 10:15:22 PM) (Source: Bonjour Service)(User: )
Description: mDNSCoreMachineSleep: mDNS_Unlock: Locking failure! mDNS_busy (1) != mDNS_reentrancy (0)


=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.0.1.152)
Adobe Reader 9.4.2 (Version: 9.4.2)
Adobe Shockwave Player 11.6 (Version: 11.6.1.629)
Amazon Links (Version: 2.02)
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.26)
AVG 2011 (Version: 10.0.1410)
AVG 2011 (Version: 10.0.1522)
Bejeweled 2 Deluxe (Version: 2.2.0.95)
Bonjour (Version: 3.0.0.2)
Build-a-lot 2 (Version: 2.2.0.95)
Catan Online World (Version: 3.728)
CCleaner (Version: 3.02)
Chuzzle Deluxe (Version: 2.2.0.95)
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
Conexant HD Audio (Version: 4.119.0.60)
Coupon Printer for Windows (Version: 5.0.0.1)
Dell V310-V510 Series
e-Sword (Version: 9.09.0000)
FATE (Version: 2.2.0.95)
File Type Assistant
FinalTorrent 2011
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.69)
I SPY Fun House (Version: 2.2.0.95)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.2086)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Rapid Storage Technology (Version: 9.6.1.1001)
iTunes (Version: 10.4.1.10)
Jewel Quest - Heritage (Version: 2.2.0.95)
Junk Mail filter update (Version: 14.0.8117.416)
Label@Once 1.0 (Version: 1.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee SiteAdvisor (Version: 3.4.143)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Silverlight (Version: 3.0.40624.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 7.0.1 (x86 en-US) (Version: 7.0.1)
MSVCRT (Version: 14.0.1468.721)
OpenOffice.org 3.2 (Version: 3.2.9502)
Plants vs. Zombies (Version: 2.2.0.95)
PlayReady PC Runtime amd64 (Version: 1.3.0)
Polar Bowler (Version: 2.2.0.95)
Quickbooks Financial Center (Version: 2.02)
QuickTime (Version: 7.70.80.34)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
Realtek USB 2.0 Card Reader (Version: 6.1.7600.30113)
Realtek WLAN Driver (Version: 2.00.0011)
RealUpgrade 1.1 (Version: 1.1.0)
Skype Launcher (Version: 2.01)
Skype Toolbars (Version: 5.0.4137)
Skype™ 5.1 (Version: 5.1.104)
Snagit 10.0.1 (Version: 10.0.1)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 15.0.8.1)
Toshiba App Place (Version: 1.0.2.0)
TOSHIBA Application Installer (Version: 9.0.1.1)
TOSHIBA Assist (Version: 3.00.11)
TOSHIBA Disc Creator (Version: 2.1.0.2 for x64)
TOSHIBA eco Utility (Version: 1.2.7.64)
TOSHIBA Face Recognition (Version: 3.1.3.64)
TOSHIBA Hardware Setup (Version: 4.03.02.00)
TOSHIBA HDD/SSD Alert (Version: 3.1.64.6)
Toshiba Laptop Checkup (Version: 2.0.3.198)
TOSHIBA Media Controller (Version: 1.0.80.3.64)
TOSHIBA Media Controller Plug-in (Version: 1.0.4.9)
Toshiba Online Backup (Version: 2.0.0.24)
TOSHIBA PC Health Monitor (Version: 1.6.0.64)
TOSHIBA Quality Application (Version: 1.0.3)
TOSHIBA Recovery Media Creator (Version: 2.1.0.4 for x64)
TOSHIBA ReelTime (Version: 1.6.05.64)
TOSHIBA Service Station (Version: 2.1.40)
TOSHIBA Supervisor Password (Version: 4.03.02.00)
TOSHIBA Value Added Package (Version: 1.3.2.64)
TOSHIBA Web Camera Application (Version: 1.1.1.15)
ToshibaRegistration (Version: 1.0.4)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update Installer for WildTangent Games App
Virtual Villagers 4 - The Tree of Life (Version: 2.2.0.95)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
Wheel of Fortune 2 (Version: 2.2.0.95)
WildTangent Games (Version: 1.0.2.4)
WildTangent Games App (Toshiba Games) (Version: 4.0.4.12)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Mail (Version: 14.0.8117.0416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Movie Maker (Version: 14.0.8117.0416)
Windows Live Photo Gallery (Version: 14.0.8117.416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8117.416)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8117.0416)
WinRAR 4.01 (32-bit) (Version: 4.01.0)
Zuma's Revenge (Version: 2.2.0.95)

========================= Memory info: ===================================

Percentage of memory in use: 46%
Total physical RAM: 3893.86 MB
Available physical RAM: 2075.54 MB
Total Pagefile: 7785.86 MB
Available Pagefile: 5789.07 MB
Total Virtual: 4095.88 MB
Available Virtual: 3977.21 MB

========================= Partitions: =====================================

1 Drive c: (TI105927W0D) (Fixed) (Total:221.1 GB) (Free:147.02 GB) NTFS

========================= Users: ========================================

User accounts for \\TJ-PC

Administrator Guest TJ


**** End of log ****




Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7933

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/12/2011 8:33:53 PM
mbam-log-2011-10-12 (20-33-53).txt

Scan type: Quick scan
Objects scanned: 178967
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateBackup (Trojan.SHarpro.PGen) -> Value: GoogleUpdateBackup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\2600 (Trojan.Agent) -> Value: 2600 -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\googleupdatebackup.dll (Trojan.SHarpro.PGen) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 October 2011 - 01:14 PM

And here is a link to my original post http://www.bleepingcomputer.com/forums/topic423238.html

#3 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 October 2011 - 10:41 AM

I was told that I was infected with ZeroAccess rootkit. Does nobody have any answers for how to fix the issue?

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:52 AM

Posted 18 October 2011 - 05:38 AM

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 24 October 2011 - 08:53 PM

This is the DDS.txt:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by TJ at 20:50:51 on 2011-10-24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2217 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\dleacoms.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\Real\RealPlayer\RealPlay.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\windows\system32\sppsvc.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\wuauclt.exe
C:\windows\servicing\TrustedInstaller.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:59071
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe,
uWindows: Load=C:\Users\TJ\LOCALS~1\Temp\73c8fffd.com
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
uRun: [Google Update] "C:\Users\TJ\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [QuickTime Plugin Install] C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRun: [TechSmith Update] rundll32 "C:\windows\system32\config\systemprofile\AppData\Local\Sunbelt Software\SunbeltUpdate\Sunbeltupdt32.DLL",DllRegisterServer
mExplorerRun: [2600] C:\PROGRA~3\LOCALS~1\Temp\221fffe3.com
StartupFolder: C:\Users\TJ\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806} : DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\2464354414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\37475667560236 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\4586560294E6475627775626 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\74C6F62616C6355796475675962756C6563737 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\C696E6B6379737 : DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
TCP: Interfaces\{5C1FBE5E-702D-4FA2-A2B7-0A7B6BC1CF4C} : DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
TCP: Interfaces\{80A014A8-3E27-450D-AB05-F3C9FDE5AC2A} : DhcpNameServer = 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun-x64: [QuickTime Plugin Install] C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\TJ\AppData\Roaming\Mozilla\Firefox\Profiles\4d0ttjfu.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\TJ\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R2 dlea_device;dlea_device;C:\windows\system32\dleacoms.exe -service --> C:\windows\system32\dleacoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-8-30 102608]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-9-18 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-9-18 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-2-25 252928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-18 2320920]
R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\windows\system32\DRIVERS\QIOMem.sys --> C:\windows\system32\DRIVERS\QIOMem.sys [?]
R3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-9-18 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\dleaserv.exe [2009-7-1 33448]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-1 136176]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-1 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-10-12 03:46:48 3134976 ----a-w- C:\windows\System32\win32k.sys
2011-10-12 03:22:06 613888 ----a-w- C:\windows\System32\psisdecd.dll
2011-10-09 00:07:51 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-06 15:45:13 -------- d-----w- C:\windows\SysWow64\Adobe
2011-10-04 16:44:16 -------- d-----we C:\windows\system64
2011-09-28 20:46:02 34152 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys
2011-09-28 20:46:02 126312 ----a-w- C:\windows\System32\GEARAspi64.dll
2011-09-28 20:46:02 107368 ----a-w- C:\windows\SysWow64\GEARAspi.dll
2011-09-28 20:45:31 -------- d-----w- C:\Program Files\iPod
2011-09-28 20:45:30 -------- d-----w- C:\Program Files (x86)\iTunes
2011-09-28 20:45:29 -------- d-----w- C:\Program Files\iTunes
2011-09-28 20:44:47 -------- d-----w- C:\Program Files\Bonjour
2011-09-28 20:44:47 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-09-28 19:56:11 -------- d-----w- C:\windows\pss
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-10-11 23:44:52 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:21:20 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:59:14 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-09-20 14:29:00 295844 ----a-w- C:\ProgramData\SPLCDB.tmp
2011-09-12 13:53:02 463612 ----a-w- C:\ProgramData\SPLDDB8.tmp
2011-08-31 22:00:50 25416 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-08-31 17:34:42 457212 ----a-w- C:\ProgramData\SPL1276.tmp
2011-08-27 05:40:28 861184 ----a-w- C:\windows\System32\oleaut32.dll
2011-08-27 05:40:28 331776 ----a-w- C:\windows\System32\oleacc.dll
2011-08-27 04:43:07 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll
2011-08-27 04:43:06 233472 ----a-w- C:\windows\SysWow64\oleacc.dll
2011-08-20 05:45:20 1197568 ----a-w- C:\windows\System32\wininet.dll
2011-08-20 05:41:16 57856 ----a-w- C:\windows\System32\licmgr10.dll
2011-08-20 04:38:10 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2011-08-20 04:35:20 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2011-08-20 04:20:23 482816 ----a-w- C:\windows\System32\html.iec
2011-08-20 03:26:38 386048 ----a-w- C:\windows\SysWow64\html.iec
2011-08-17 05:27:46 75776 ----a-w- C:\windows\System32\MSDvbNP.ax
2011-08-17 05:27:46 288256 ----a-w- C:\windows\System32\MSNP.ax
2011-08-17 05:27:46 108032 ----a-w- C:\windows\System32\psisrndr.ax
2011-08-17 05:27:46 104960 ----a-w- C:\windows\System32\Mpeg2Data.ax
2011-08-17 04:26:02 465408 ----a-w- C:\windows\SysWow64\psisdecd.dll
2011-08-17 04:22:23 75776 ----a-w- C:\windows\SysWow64\psisrndr.ax
2011-08-17 04:22:23 72704 ----a-w- C:\windows\SysWow64\Mpeg2Data.ax
2011-08-17 04:22:23 59904 ----a-w- C:\windows\SysWow64\MSDvbNP.ax
2011-08-17 04:22:23 204288 ----a-w- C:\windows\SysWow64\MSNP.ax
.
============= FINISH: 20:51:15.92 ===============

#6 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 24 October 2011 - 08:55 PM

This is the ATTACH.txt

Attached Files


Edited by TJSands, 24 October 2011 - 08:59 PM.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:52 AM

Posted 24 October 2011 - 11:35 PM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 25 October 2011 - 06:11 AM

Hey Bleepin'Rocker I really appreciate your help on this.

I am going to work here shortly, so I will not be able to download and run ComboFix until I get home this afternoon. But I will do as you requested as soon as I get home and post the results.

But I also wanted to give you a quick update to let you know how bad it has gotten on my computer. Anytime I reboot my computer (whether for updates, or after a virus/malware scan) it fails to restart. It goes to the system repair screen and after it tries that it fails as well. The only way I can get Windows 7 to restart is by doing a system restore (and sometimes that even takes a few times).

Talk to you shortly, and thanks again.

#9 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 25 October 2011 - 08:47 PM

OK, I finally was able to run ComboFix. Here is the log:


ComboFix 11-10-25.04 - TJ 10/25/2011 20:30:41.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2893 [GMT -5:00]
Running from: c:\users\TJ\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\SPL1276.tmp
c:\programdata\SPLC26.tmp
c:\programdata\SPLCDB.tmp
c:\programdata\SPLDDB8.tmp
c:\users\TJ\AppData\Roaming\5ABE.C00
c:\users\TJ\AppData\Roaming\Adobe\plugs
c:\users\TJ\AppData\Roaming\Adobe\shed
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\00000002.@
c:\windows\assembly\tmp\U\00000004.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000004.@
c:\windows\assembly\tmp\U\80000032.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\system32\Thumbs.db
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-09-26 to 2011-10-26 )))))))))))))))))))))))))))))))
.
.
2011-10-26 01:35 . 2011-10-26 01:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-26 01:21 . 2011-10-26 01:37 -------- d-----w- C:\32788R22FWJFW
2011-10-26 00:49 . 2011-10-26 00:49 -------- d-----w- c:\users\TJ\AppData\Local\ElevatedDiagnostics
2011-10-25 02:45 . 2011-10-26 02:56 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-10-25 02:45 . 2011-10-26 02:56 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-18 22:50 . 2011-10-18 22:50 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2011-10-18 22:50 . 2011-10-18 22:50 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2011-10-12 03:46 . 2011-09-06 03:07 3134976 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 03:22 . 2011-08-17 05:32 613888 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-11 22:45 . 2011-10-26 03:21 -------- d-----w- c:\windows\system32\Macromed
2011-10-09 00:07 . 2011-10-09 00:07 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-06 15:45 . 2011-10-06 15:45 -------- d-----w- c:\windows\SysWow64\Adobe
2011-10-06 14:38 . 2011-10-06 14:38 -------- d-----w- c:\programdata\Local Settings
2011-10-04 17:19 . 2011-10-04 17:19 -------- d-----w- c:\windows\Sun
2011-09-28 20:46 . 2009-05-18 18:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-09-28 20:46 . 2008-04-17 17:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-09-28 20:46 . 2008-04-17 17:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-09-28 20:45 . 2011-09-28 20:45 -------- d-----w- c:\program files\iPod
2011-09-28 20:45 . 2011-09-28 20:45 -------- d-----w- c:\program files (x86)\iTunes
2011-09-28 20:45 . 2011-09-28 20:45 -------- d-----w- c:\program files\iTunes
2011-09-28 20:44 . 2011-10-26 03:33 -------- d-----w- c:\program files\Bonjour
2011-09-28 20:44 . 2011-09-28 20:44 -------- d-----w- c:\program files (x86)\Bonjour
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-09-28 01:27 . 2011-09-28 01:27 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 23:44 . 2011-08-26 20:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-31 22:00 . 2010-12-07 02:44 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-02 39408]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-01-03 15028104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-06-11 552960]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-03-15 273544]
"QuickTime Plugin Install"="c:\program files (x86)\QuickTime\Plugins\DeleteMe1.exe" [2011-09-28 86016]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-06-03 3218792]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-08-19 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o&inst=NzctNzIyNjIwMDcwLUZJKzEtRkwxMCsxLUREVCs0MDc0MC1MU0QrMi1TVDEwRkFQUCsxLUREMTBGKzEtUzEwRkRERisxLUYxME0xMkFUKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtRjEwTTEyQVRCTisx&prod=90&ver=10.0.1411" [?]
.
c:\users\TJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
2;2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [x]
2;2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [2009-07-01 33448]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-02 136176]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-02 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2010-05-22 1052328]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2011-08-10 102608]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2009-08-24 126392]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [x]
S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-26 c:\windows\Tasks\FinalTorrent Update Checker.job
- c:\program files (x86)\FinalTorrent\FTCheckForUpdates.exe [2011-03-11 22:50]
.
2011-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-02 02:08]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-02 02:08]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-26 410648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-26 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-26 391192]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
"combofix"="c:\combofix\CF11253.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:59071
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
FF - ProfilePath - c:\users\TJ\AppData\Roaming\Mozilla\Firefox\Profiles\4d0ttjfu.default\
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62133&p=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
Wow6432Node-HKU-Default-Run-TechSmith Update - c:\windows\system32\config\systemprofile\AppData\Local\Sunbelt Software\SunbeltUpdate\Sunbeltupdt32.DLL
Wow6432Node-HKLM-Explorer_Run-2600 - c:\progra~3\LOCALS~1\Temp\221fffe3.com
Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.3.198\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-10-25 20:43:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-26 01:43
.
Pre-Run: 160,174,649,344 bytes free
Post-Run: 160,056,057,856 bytes free
.
- - End Of File - - EBF9CFD297BC65F9441BA25D6893CE61

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:52 AM

Posted 25 October 2011 - 11:48 PM

Hi,

Please post fresh dds.txt log too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 26 October 2011 - 06:03 AM

Here is the new DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by TJ at 6:02:14 on 2011-10-26
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2283 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\dleacoms.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\Dwm.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?brand=TSND&bmod=TSND
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSND&bmod=TSND
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:59071
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [QuickTime Plugin Install] C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNzIyNjIwMDcwLUZJKzEtRkwxMCsxLUREVCs0MDc0MC1MU0QrMi1TVDEwRkFQUCsxLUREMTBGKzEtUzEwRkRERisxLUYxME0xMkFUKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtRjEwTTEyQVRCTisx"&"prod=90"&"ver=10.0.1411
mExplorerRun: [2600] C:\PROGRA~3\LOCALS~1\Temp\221fffe3.com
StartupFolder: C:\Users\TJ\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806} : DhcpNameServer = 24.177.176.38 71.92.29.130 24.217.201.67
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\2464354414 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\37475667560236 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\4586560294E6475627775626 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\74C6F62616C6355796475675962756C6563737 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\777777E20736149627C496E6B6E236F6D6 : DhcpNameServer = 10.1.0.1 207.203.159.23 205.152.37.23
TCP: Interfaces\{4C3B1288-26B4-462D-87A7-046426459806}\C696E6B6379737 : DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
TCP: Interfaces\{5C1FBE5E-702D-4FA2-A2B7-0A7B6BC1CF4C} : DhcpNameServer = 24.177.176.38 97.81.22.195 24.178.162.3
TCP: Interfaces\{80A014A8-3E27-450D-AB05-F3C9FDE5AC2A} : DhcpNameServer = 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun-x64: [QuickTime Plugin Install] C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNzIyNjIwMDcwLUZJKzEtRkwxMCsxLUREVCs0MDc0MC1MU0QrMi1TVDEwRkFQUCsxLUREMTBGKzEtUzEwRkRERisxLUYxME0xMkFUKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtRjEwTTEyQVRCTisx"&"prod=90"&"ver=10.0.1411
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\TJ\AppData\Roaming\Mozilla\Firefox\Profiles\4d0ttjfu.default\
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=62133&p=
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 dlea_device;dlea_device;C:\windows\system32\dleacoms.exe -service --> C:\windows\system32\dleacoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-8-30 102608]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-9-18 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-9-18 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-2-25 252928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-18 2320920]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\windows\system32\DRIVERS\QIOMem.sys --> C:\windows\system32\DRIVERS\QIOMem.sys [?]
R3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\dleaserv.exe [2009-7-1 33448]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-1 136176]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-1 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-9-18 51512]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-10-26 01:47:00 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E6265556-E71E-4031-B895-75C174D3B796}\offreg.dll
2011-10-26 01:46:59 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E6265556-E71E-4031-B895-75C174D3B796}\mpengine.dll
2011-10-26 01:46:42 6144 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-10-26 01:46:42 6144 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-10-26 01:37:40 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-26 01:28:28 98816 ----a-w- C:\windows\sed.exe
2011-10-26 01:28:28 518144 ----a-w- C:\windows\SWREG.exe
2011-10-26 01:28:28 256000 ----a-w- C:\windows\PEV.exe
2011-10-26 01:28:28 208896 ----a-w- C:\windows\MBR.exe
2011-10-26 01:25:41 -------- d-----w- C:\windows\SysWow64\drivers\AVG
2011-10-26 00:49:52 -------- d-----w- C:\Users\TJ\AppData\Local\ElevatedDiagnostics
2011-10-25 02:45:41 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-10-25 02:45:25 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-10-12 03:46:48 3134976 ----a-w- C:\windows\System32\win32k.sys
2011-10-12 03:22:06 613888 ----a-w- C:\windows\System32\psisdecd.dll
2011-10-09 00:07:51 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-06 15:45:13 -------- d-----w- C:\windows\SysWow64\Adobe
2011-09-28 20:46:02 34152 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys
2011-09-28 20:46:02 126312 ----a-w- C:\windows\System32\GEARAspi64.dll
2011-09-28 20:46:02 107368 ----a-w- C:\windows\SysWow64\GEARAspi.dll
2011-09-28 20:45:31 -------- d-----w- C:\Program Files\iPod
2011-09-28 20:45:30 -------- d-----w- C:\Program Files (x86)\iTunes
2011-09-28 20:45:29 -------- d-----w- C:\Program Files\iTunes
2011-09-28 20:44:47 -------- d-----w- C:\Program Files\Bonjour
2011-09-28 20:44:47 -------- d-----w- C:\Program Files (x86)\Bonjour
2011-09-28 19:56:11 -------- d-----w- C:\windows\pss
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-09-28 01:27:58 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-10-11 23:44:52 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:21:20 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:59:14 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-08-31 22:00:50 25416 ----a-w- C:\windows\System32\drivers\mbam.sys
2011-08-27 05:40:28 861184 ----a-w- C:\windows\System32\oleaut32.dll
2011-08-27 05:40:28 331776 ----a-w- C:\windows\System32\oleacc.dll
2011-08-27 04:43:07 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll
2011-08-27 04:43:06 233472 ----a-w- C:\windows\SysWow64\oleacc.dll
2011-08-20 05:45:20 1197568 ----a-w- C:\windows\System32\wininet.dll
2011-08-20 05:41:16 57856 ----a-w- C:\windows\System32\licmgr10.dll
2011-08-20 04:38:10 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2011-08-20 04:35:20 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2011-08-20 04:20:23 482816 ----a-w- C:\windows\System32\html.iec
2011-08-20 03:26:38 386048 ----a-w- C:\windows\SysWow64\html.iec
2011-08-17 05:27:46 75776 ----a-w- C:\windows\System32\MSDvbNP.ax
2011-08-17 05:27:46 288256 ----a-w- C:\windows\System32\MSNP.ax
2011-08-17 05:27:46 108032 ----a-w- C:\windows\System32\psisrndr.ax
2011-08-17 05:27:46 104960 ----a-w- C:\windows\System32\Mpeg2Data.ax
2011-08-17 04:26:02 465408 ----a-w- C:\windows\SysWow64\psisdecd.dll
2011-08-17 04:22:23 75776 ----a-w- C:\windows\SysWow64\psisrndr.ax
2011-08-17 04:22:23 72704 ----a-w- C:\windows\SysWow64\Mpeg2Data.ax
2011-08-17 04:22:23 59904 ----a-w- C:\windows\SysWow64\MSDvbNP.ax
2011-08-17 04:22:23 204288 ----a-w- C:\windows\SysWow64\MSNP.ax
.
============= FINISH: 6:02:32.72 ===============

#12 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 26 October 2011 - 06:05 AM

And here:

Attached Files



#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:52 AM

Posted 26 October 2011 - 11:34 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:59071
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mExplorerRun: [2600] C:\PROGRA~3\LOCALS~1\Temp\221fffe3.com
TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1 update for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 26 October 2011 - 05:05 PM

Here is the new ComboFix log following the instructions you gave:

Attached Files



#15 TJSands

TJSands
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 26 October 2011 - 06:35 PM

ESET Scanner results:

C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\80000032.@.vir a variant of Win32/Olmarik.AVQ trojan
C:\System Volume Information\SystemRestore\FRStaging\Windows\assembly\tmp\U\80000032.@ a variant of Win32/Olmarik.AVQ trojan
C:\Users\TJ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2bc3143e-29c7f697 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\TJ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2bc3143e-6af47ff8 a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2VQMKZR5\blackandwhitelesbians_in[2].htm JS/Kryptik.CW trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJCC2RL2\blackandwhitelesbians_in[1].htm JS/Kryptik.CW trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-12ae54a2 a variant of Java/Agent.DT trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2ea290c1 a variant of Java/Agent.DT trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2f8fe32d a variant of Java/Agent.DT trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-464f9418 a variant of Java/Agent.DT trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-67daf7b7 a variant of Java/Agent.DT trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-7342f879 a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2VQMKZR5\blackandwhitelesbians_in[2].htm JS/Kryptik.CW trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LJCC2RL2\blackandwhitelesbians_in[1].htm JS/Kryptik.CW trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-12ae54a2 a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2ea290c1 a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2f8fe32d a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-464f9418 a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-67daf7b7 a variant of Java/Agent.DT trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-7342f879 a variant of Java/Agent.DT trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users