Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop Infected? Redirects on Google, weird popups


  • This topic is locked This topic is locked
16 replies to this topic

#1 heather529

heather529

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 21 November 2011 - 10:51 AM

First, I am running in safe mode and having issues doing the required scans, but I can't run outside of safe mode (everything gets blocked) I was unable to run a GMER (error message popped up that said unable to find system modification) but I could run the DDS and it is attached. Not requested, but because I couldn't do a GMER, I did a Hijack, and that is attached if it can help.

What is happening: Chrome stopped working this morning so I downloaded FireFox. When I downloaded it, AV 2011 downloaded as well. This program started posting all kinds of weird stuff to my desktop and blocking normal applications to the point I couldn't do much of anything -- I tried uninstalling it, but was unsuccessful (I found the uninstall instructions on this site) Then, when I searched in Google for more instructions, it started redirecting me to other sites....

I am a freelance writer and this computer is my paycheck...I'm in panic mode :o

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 12:30 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 08:33 AM

Hello and thank you for the reply. Attached is the requested log file -- I am out of running in Safe Mode, but still getting popups on desktop about malware blocks....

Heather

ComboFix 11-11-22.03 - Heather LaVine 11/23/2011 8:06.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.648 [GMT -5:00]
Running from: c:\users\Heather LaVine\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\iWin Games\iWinGamesHookIE.dll
c:\program files (x86)\LP
c:\program files (x86)\LP\8AD5\8632.tmp
c:\program files (x86)\LP\8AD5\FF84.tmp
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setup.dll
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.dat
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.exe
c:\programdata\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.ico
c:\users\Heather LaVine\Desktop\AV Protection 2011.lnk
c:\users\Heather LaVine\Documents\~WRL0001.tmp
c:\users\Heather LaVine\Documents\~WRL0003.tmp
c:\users\Heather LaVine\Documents\~WRL0004.tmp
c:\users\Heather LaVine\Documents\~WRL0005.tmp
c:\users\Heather LaVine\Documents\~WRL2645.tmp
c:\users\Heather LaVine\Documents\~WRL3322.tmp
c:\users\Heather LaVine\Documents\~WRL3455.tmp
c:\users\Heather LaVine\Documents\~WRL3901.tmp
c:\windows\system32\consrv.dll
c:\windows\system32\Thumbs.db
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-23 13:16 . 2011-11-23 13:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-22 13:03 . 2011-11-22 13:03 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\Malwarebytes
2011-11-22 13:03 . 2011-11-22 13:03 -------- d-----w- c:\programdata\Malwarebytes
2011-11-22 13:03 . 2011-11-22 13:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-11-22 13:03 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-22 12:53 . 2011-11-22 12:53 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\QppnG44QH6WKfLg
2011-11-22 12:48 . 2011-11-22 12:48 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\RbbDD3onG4a
2011-11-22 12:48 . 2011-11-22 12:48 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\NIVVrllONtxPuc1
2011-11-22 12:48 . 2011-11-22 12:48 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\hrlONtxP0c1b3n4
2011-11-22 12:47 . 2011-11-22 12:47 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\gNyxA0uvSiFpGa
2011-11-22 12:47 . 2011-11-22 12:47 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\L5sQJ6dEKfZhXjC
2011-11-21 16:35 . 2011-11-21 16:35 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\xuuvD2obF4mGsJ
2011-11-21 16:35 . 2011-11-21 16:35 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\g9hhYXwjelBtPyA
2011-11-21 16:35 . 2011-11-21 16:35 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\f4pmmG5sJ6dEfZh
2011-11-21 16:35 . 2011-11-21 16:35 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\tUUUVVelOBtP0A1
2011-11-21 16:35 . 2011-11-21 16:35 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\pssWWJ7dE
2011-11-21 14:50 . 2011-11-21 14:50 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\wmmGG5aaQJ6WK
2011-11-21 14:50 . 2011-11-21 14:50 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\SNNNyxxA1uvSob3
2011-11-21 14:50 . 2011-11-21 14:50 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\o8RZ99hYXwjVeIt
2011-11-21 14:49 . 2011-11-21 14:49 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\aFFF4ppmG5sQ6
2011-11-21 14:49 . 2011-11-21 14:49 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\AKgZZYwUl
2011-11-21 14:45 . 2011-11-21 14:45 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\E44ppGGsJ6dK8R9
2011-11-21 14:45 . 2011-11-21 14:45 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\IBBtzNcA1
2011-11-21 14:44 . 2011-11-21 14:44 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\bCwkkIVrrlNPuS
2011-11-21 14:44 . 2011-11-21 14:44 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\yRRLL9ggTXqYCk
2011-11-21 14:44 . 2011-11-21 14:44 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\OuuvSS2ibF3pG5Q
2011-11-21 14:24 . 2011-11-22 13:42 -------- d-----w- c:\program files (x86)\0E718
2011-11-21 14:24 . 2011-11-21 14:24 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\nHWfLgZhCkVlBx0
2011-11-21 14:04 . 2011-11-21 14:04 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\0E718
2011-11-21 14:04 . 2011-11-21 14:04 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\FcccS11ibD3oG4m
2011-11-21 14:04 . 2011-11-21 14:04 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\ZjjYYCwkIVrlOtP
2011-11-21 14:03 . 2011-11-22 13:42 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\5A30E
2011-11-21 14:03 . 2011-11-21 14:03 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\V4aamHH6sWJ7ELg
2011-11-21 14:03 . 2011-11-21 14:03 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\YWWWK88fRL9TXjU
2011-11-21 14:03 . 2011-11-21 14:03 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\FK8RhXjeIBzPNxA
2011-11-21 14:00 . 2011-11-21 14:00 -------- d-----w- c:\users\Heather LaVine\AppData\Local\Mozilla
2011-11-21 12:38 . 2011-11-21 12:38 -------- d-----w- c:\programdata\McAfee
2011-11-19 16:02 . 2011-11-19 16:02 -------- d-----w- c:\programdata\Symantec
2011-11-18 12:24 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{650AC774-7E01-4241-88CD-87A68DB80B70}\mpengine.dll
2011-11-14 13:35 . 2011-11-14 13:35 -------- d-----w- c:\program files (x86)\Tracker
2011-11-11 17:43 . 2011-11-11 17:44 -------- d-----w- c:\program files (x86)\SweetIM
2011-11-11 17:43 . 2011-11-11 17:43 -------- d-----w- c:\programdata\SweetIM
2011-11-11 17:43 . 2011-11-11 17:49 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\SnapTeam
2011-11-11 17:42 . 2011-11-11 17:42 -------- d-----w- c:\program files (x86)\Snap
2011-11-08 20:53 . 2011-10-01 05:28 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-08 20:53 . 2011-10-01 04:43 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-08 20:53 . 2011-09-29 16:24 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-08 20:53 . 2011-09-29 04:09 3141120 ----a-w- c:\windows\system32\win32k.sys
2011-11-06 20:11 . 2011-11-06 20:11 499712 ----a-w- c:\windows\SysWow64\vbeditor.ocx
2011-11-06 20:11 . 2011-11-06 20:11 319488 ----a-w- c:\windows\SysWow64\vbeditorprint.ocx
2011-11-06 20:10 . 2011-11-06 20:10 -------- d-----w- C:\AKidsHeart
2011-11-01 20:16 . 2011-11-01 20:16 -------- d-----w- c:\program files (x86)\NetRatingsNetSight
2011-11-01 19:09 . 2011-11-01 19:09 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\Sammsoft
2011-11-01 19:09 . 2011-11-01 19:09 -------- d-----w- c:\program files (x86)\Advanced Registry Optimizer
2011-10-31 18:24 . 2011-10-31 18:37 -------- d-----w- c:\users\Heather LaVine\AppData\Local\Smilebox
2011-10-31 18:23 . 2011-11-20 01:03 -------- d-----w- c:\users\Heather LaVine\AppData\Roaming\Smilebox
2011-10-27 17:46 . 2011-10-27 17:46 18944 ----a-r- c:\users\Heather LaVine\AppData\Roaming\Microsoft\Installer\{297DCADA-86A1-4A42-8A13-66B7D7A09FD2}\IconBB6A16301.exe
2011-10-26 18:22 . 2011-10-26 18:22 -------- d-----w- c:\program files (x86)\Trend Micro
2011-10-26 11:41 . 2011-08-15 05:08 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-10-26 11:41 . 2011-08-15 04:25 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-01 03:21 . 2011-10-13 08:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-01 02:59 . 2011-10-13 08:36 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-09-30 23:55 . 2011-08-07 21:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-09-30 23:45 . 2011-08-07 21:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-09-30 23:45 . 2011-08-07 21:55 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-08-29 17:41 . 2011-08-29 17:41 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2011-08-29 17:30 . 2011-08-29 17:30 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-08-29 17:29 . 2011-08-29 17:29 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-08-29 17:29 . 2011-08-29 17:29 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-08-27 05:40 . 2011-10-13 08:36 861184 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:40 . 2011-10-13 08:36 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:43 . 2011-10-13 08:36 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:43 . 2011-10-13 08:36 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{6FFB615D-E8CE-4ADD-8D9F-31C4BE9C26E4}]
2011-10-20 15:20 1603072 ----a-w- c:\program files (x86)\InboxDollars\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{47980628-3844-42AA-A0DD-E2D86BBA9600}"= "c:\program files (x86)\InboxDollars\Toolbar.dll" [2011-10-20 1603072]
.
[HKEY_CLASSES_ROOT\clsid\{47980628-3844-42aa-a0dd-e2d86bba9600}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{5DB5671F-D35B-419E-A124-0653A57FBCA1}]
[HKEY_CLASSES_ROOT\FCTB000062133.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmileboxTray"="c:\users\Heather LaVine\AppData\Roaming\Smilebox\SmileboxTray.exe" [2011-11-07 313160]
"AROReminder"="c:\program files (x86)\Advanced Registry Optimizer\ARO.exe" [2010-01-20 2137600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"Reader Library Launcher"="c:\program files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-08-23 273528]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NielsenOnline"="c:\program files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2010-11-17 47424]
"SweetIM"="c:\program files (x86)\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-8-13 1207312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-01 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-01 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 iWinTrusted;iWinTrusted;c:\program files (x86)\iWin Games\iWinTrusted.exe [2011-04-08 176848]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [2011-07-23 1151096]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110822.030\IDSvia64.sys [2011-07-16 488056]
S1 nnfwdk;Nielsen WFP Driver;c:\program files (x86)\NetRatingsNetSight\NetSight\meter2\nnfwdk64.sys [2010-10-04 25648]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 NielsenUpdate;Nielsen Update;c:\program files (x86)\NetRatingsNetSight\NetSight\NielsenUpdate.exe [2010-11-17 303936]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [2011-10-29 135608]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [2009-08-24 126392]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CnxtHdmiAudService;Conexant UAA HDMI Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDMI64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-15 138360]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [x]
S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-01 01:21]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-01 01:21]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"combofix"="c:\combofix\CF20157.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SYSTEM32\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Heather LaVine\AppData\Roaming\Mozilla\Firefox\Profiles\9090hrdi.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Messenger (Yahoo!) - ~c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe
Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Toolbar-Locked - (no file)
WebBrowser-{37153479-1976-43C3-A1EE-557513977B64} - (no file)
WebBrowser-{47980628-3844-42AA-A0DD-E2D86BBA9600} - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-WT089366 - c:\program files (x86)\TOSHIBA Games\Cake Mania - Lights
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\NetRatingsNetSight]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Logitech\SetPoint\x86\SetPoint32.exe
.
**************************************************************************
.
Completion time: 2011-11-23 08:26:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-23 13:26
.
Pre-Run: 255,117,910,016 bytes free
Post-Run: 254,931,259,392 bytes free
.
- - End Of File - - F10AE1FCA2ED57B411A966092E665C9C

Attached Files


Edited by RPMcMurphy, 23 November 2011 - 09:08 AM.
Added log


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 09:16 AM

Heather:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Folder::

Folder::
c:\users\Heather LaVine\AppData\Roaming\QppnG44QH6WKfLg
c:\users\Heather LaVine\AppData\Roaming\RbbDD3onG4a
c:\users\Heather LaVine\AppData\Roaming\NIVVrllONtxPuc1
c:\users\Heather LaVine\AppData\Roaming\hrlONtxP0c1b3n4
c:\users\Heather LaVine\AppData\Roaming\gNyxA0uvSiFpGa
c:\users\Heather LaVine\AppData\Roaming\L5sQJ6dEKfZhXjC
c:\users\Heather LaVine\AppData\Roaming\xuuvD2obF4mGsJ
c:\users\Heather LaVine\AppData\Roaming\g9hhYXwjelBtPyA
c:\users\Heather LaVine\AppData\Roaming\f4pmmG5sJ6dEfZh
c:\users\Heather LaVine\AppData\Roaming\tUUUVVelOBtP0A1
c:\users\Heather LaVine\AppData\Roaming\pssWWJ7dE
c:\users\Heather LaVine\AppData\Roaming\wmmGG5aaQJ6WK
c:\users\Heather LaVine\AppData\Roaming\SNNNyxxA1uvSob3
c:\users\Heather LaVine\AppData\Roaming\o8RZ99hYXwjVeIt
c:\users\Heather LaVine\AppData\Roaming\aFFF4ppmG5sQ6
c:\users\Heather LaVine\AppData\Roaming\AKgZZYwUl
c:\users\Heather LaVine\AppData\Roaming\E44ppGGsJ6dK8R9
c:\users\Heather LaVine\AppData\Roaming\IBBtzNcA1
c:\users\Heather LaVine\AppData\Roaming\bCwkkIVrrlNPuS
c:\users\Heather LaVine\AppData\Roaming\yRRLL9ggTXqYCk
c:\users\Heather LaVine\AppData\Roaming\OuuvSS2ibF3pG5Q
c:\program files (x86)\0E718
c:\users\Heather LaVine\AppData\Roaming\nHWfLgZhCkVlBx0
c:\users\Heather LaVine\AppData\Roaming\0E718
c:\users\Heather LaVine\AppData\Roaming\FcccS11ibD3oG4m
c:\users\Heather LaVine\AppData\Roaming\ZjjYYCwkIVrlOtP
c:\users\Heather LaVine\AppData\Roaming\5A30E
c:\users\Heather LaVine\AppData\Roaming\V4aamHH6sWJ7ELg
c:\users\Heather LaVine\AppData\Roaming\YWWWK88fRL9TXjU
c:\users\Heather LaVine\AppData\Roaming\FK8RhXjeIBzPNxA

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Download TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
    .
  • Once complete, a log will be produced at the root drive which is typically C:\ It will look something like this:

    For example, C:\TDSSKiller.2.6.10.0_date_time_log.txt
  • Post that log, please.
Please include the following in your next post:
  • ComboFix log
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 10:13 AM

ComboFix would not work this time, it got stuck on preparing log and would not go any further....

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 10:35 AM

Heather:

OK, Please do this:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:
c:\ComboFix.txt

That should open the latest ComboFix log. Once you have that, go ahead and run TDSSKiller following my previous instructions.

Please include the following in your next post:
  • ComboFix log
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 10:48 AM

I tried combofix again and newest is attached with tdss log :-)

Heather

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 10:57 AM

Heather:

Are you still seeing those messages about malware being blocked? Please do this next:

Posted Image Click Start > Run or Press the Windows Key + R. copy and paste the following text into the run box that opens and press OK:
C:\Qoobox\Add-Remove Programs.txt

Post the contents of the text file that opens in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • Add/Remove Programs log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 11:41 AM

Update for Microsoft Office 2007 (KB2508958)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
Advanced Registry Optimizer
AnswerWorks 5.0 English Runtime
Are You Smarter Than A 5th Grader (remove only)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
Bejeweled 2 Deluxe
BufferChm
Cake Mania - Lights, Camera, Action!™
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
D110
D3DX10
Destinations
DeviceDiscovery
erLT
Express Zip File Compression Software
Family Feud: Battle of the Sexes (remove only)
Family Feud™ (remove only)
FATE - The Traitor Soul
Google Chrome
Google Update Helper
Governor of Poker 2 Premium Edition
GPBaseService2
HijackThis 2.0.2
HP Photo Creations
HP Update
HPAppStudio
HPPhotoGadget
HPProductAssistant
HPSSupply
InboxDollars
iWin Games (remove only)
Java Auto Updater
Java™ 6 Update 27
Jewel Quest - Heritage
Junk Mail filter update
Label@Once 1.0
Logitech SetPoint
Malwarebytes' Anti-Malware version 1.51.2.1300
MarketResearch
Mesh Runtime
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 8.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery P.I. - The London Caper
Nielsen
Norton Internet Security
Plants vs. Zombies - Game of the Year
PlayReady PC Runtime x86
Polar Bowler
PS_AIO_07_D110_SW_Min
Quicken 2011
QuickTransfer
Reader Library by Sony
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
RealUpgrade 1.1
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Launcher
Skype™ 4.2
Slingo Supreme
SmartWebPrinting
Smilebox
SolutionCenter
Status
SweetIM for Messenger 3.6
SweetIM Toolbar for Internet Explorer 4.2
Toolbox
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA eco Utility
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
ToshibaRegistration
Tracker
TrayApp
Unity Web Player
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
WebReg
WildTangent Games
WildTangent ORB Game Console
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar



and

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8224

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/23/2011 11:39:26 AM
mbam-log-2011-11-23 (11-39-14).txt

Scan type: Full scan (C:\|)
Objects scanned: 359086
Time elapsed: 36 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> No action taken.




****My redirects have stopped....but a new error has popped up. When I plugged in my ereader, a error said it could not load due to registry being marked for deletion. Also, the above program is still popping up with blocks...

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 01:03 PM

Heather:

Rebooting the PC should stop that new problem. Let MBAM remove that file it detected. Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • Report any outstanding issues
  • ESET log

Edited by RPMcMurphy, 23 November 2011 - 01:04 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 02:40 PM

C:\Qoobox\Quarantine\C\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Users\Heather LaVine\AppData\Roaming\aFFF4ppmG5sQ6\AV Protection 2011v121.exe.vir Win32/Adware.WinAntiVirus.AD application
C:\Qoobox\Quarantine\C\Users\Heather LaVine\AppData\Roaming\gNyxA0uvSiFpGa\AV Protection 2011v121.exe.vir Win32/Adware.WinAntiVirus.AD application
C:\Qoobox\Quarantine\C\Users\Heather LaVine\AppData\Roaming\tUUUVVelOBtP0A1\AV Protection 2011v121.exe.vir Win32/Adware.WinAntiVirus.AD application
C:\Qoobox\Quarantine\C\Users\Heather LaVine\AppData\Roaming\yRRLL9ggTXqYCk\AV Protection 2011v121.exe.vir Win32/Adware.WinAntiVirus.AD application
C:\Qoobox\Quarantine\C\Users\Heather LaVine\AppData\Roaming\YWWWK88fRL9TXjU\AV Protection 2011v121.exe.vir Win32/Adware.WinAntiVirus.AD application
C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.E trojan
C:\Users\Heather LaVine\Downloads\RegistryReviverSetup.exe a variant of Win32/RegistryReviver application
C:\Users\Heather LaVine\Downloads\SoftonicDownloader_for_snap.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Heather LaVine\Downloads\WhiteSmokeInstaller_9147.exe a variant of Win32/InstallCore.A application

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 04:05 PM

Heather:

This will take care of those ESET detections. The others are already in quarantine and will be removed when we uninstall ComboFix.

Posted Image Open notepad and copy/paste the text in the quotebox below into it:

@echo off
del "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe"
del "C:\Users\Heather LaVine\Downloads\RegistryReviverSetup.exe"
del "C:\Users\Heather LaVine\Downloads\SoftonicDownloader_for_snap.exe"
del "C:\Users\Heather LaVine\Downloads\WhiteSmokeInstaller_9147.exe"
del /Q %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Right click on fix.bat and select "Run as administrator".

Posted Image Are there any remaining problems that we have not resolved yet?

Please include the following in your next post:
  • Report any outstanding issues

Edited by RPMcMurphy, 23 November 2011 - 04:06 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 04:14 PM

I think I am fixed :-) I seem to be running normally, no pop ups, weird messages or redirects. I want to thank you thank you thank you for sticking with me today and walking me through the fixes. <3

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 23 November 2011 - 04:51 PM

Heather:

You're very welcome! I have some very important cleanup you need to take care of now:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • TDSSKiller
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 heather529

heather529
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 23 November 2011 - 05:20 PM

All worked well -- thanks for the suggestions and the link. Have a Happy Thanksgiving!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users