Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Fix, Backdoor Trojan & More


  • This topic is locked This topic is locked
31 replies to this topic

#1 infiltrated :(

infiltrated :(

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2011 - 12:32 PM

About a week ago, an Adobe update notification popped up. I clicked the red x to make it go away, but it didn't go away. So I installed the darn thing. I should have known better...

I don't know what I installed, but it wasn't an Adobe update. The first rogue virus to show up was 'System Fix'. I was scared to death when my desktop went black, my icons disappeared and my folders appeared to be empty. I ran rkill, TDSS killer, Malwarebytes, unhide.exe, Webroot and did a system restore to get rid of it (I hope I got rid of it anyway). My d:/ drive was 'gone' (the 'Matbleepa CDRom drive (?) wasn't working), but that got fixed, too (I forgot how).

When things appeared to be back to normal, I ran several other scans including SuperAntiSpyware, ESET online scanner, and MSRT. I remember a few other medium to high risk threats were detected (including two backdoor trojans), but instead of writing down their names, I deleted them immediately (I was scared).

Three days later, a virus similar to System Fix showed up - it called itself 'Privacy Protection' or something like that. I deleted that one pretty quickly, ran more scans, created a new system restore point and deleted all the old ones.

Since then, I have ran Emisoft, Avira, HitmanPro, DrWeb Cureit (express scan), ccleaner, disk cleanup and upgraded my Webroot subscription to their latest product, "Security Anywhere" (the guy on the phone sort of admitted that the old 'antivirus and spyware' edition I was paying for was not the greatest). I deleted a few registry entries that I thought shouldn't be there (after consulting Google!), for example, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0' - - - I hope I didn't mess anything up in there!

Emisoft detected a packed.win32.themida threat in a game installation that is several years old and HitmanPro identified cnet2_setup_exe.exe as malware (both now removed). I am not sure if these were false positives and if my computer is toast or okay. Yesterday, google did not work in firefox or IE - no results showed up. I often have to log on twice (userprofile) - the first time it gives me a password error message. My windows sound seems to be slow today.

I would be very grateful if someone could take a look at my logs and tell me if there is suspicious activity still going on and how to get rid of it. Thanks!

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Home at 11:12:13 on 2011-11-29
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1558 [GMT -5:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbccoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\QUALCOMM\QDLService\QDLService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\MMK2\memokeys.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\igfxext.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{6FF834A3-1E15-483F-8A01-4956DFC10906}
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant =
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [<NO NAME>]
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [00TCrdMain] "c:\program files\toshiba\flashcards\TCrdMain.exe"
mRun: [SmartFaceVWatcher] "c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe"
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [cfFncEnabler.exe] "c:\program files\toshiba\configfree\cfFncEnabler.exe"
mRun: [TUSBSleepChargeSrv] "c:\program files\toshiba\toshiba usb sleep and charge utility\TUSBSleepChargeSrv.exe"
mRun: [TosSENotify] "c:\program files\toshiba\toshiba hdd ssd alert\TosSENotify.exe"
mRun: [TPCHWMsg] "c:\program files\toshiba\tphm\TPCHWMsg.exe"
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [mmkpro] c:\program files\mmk2\memokeys.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{A88983D5-1603-4234-9144-AAF180CB4BD2} : DhcpNameServer = 207.69.188.186 207.69.188.187
TCP: Interfaces\{FF3016BF-1E13-4558-BA5E-4BADEEA4896E} : DhcpNameServer = 207.69.188.186 207.69.188.187 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\47wsu0uk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.charlotteobserver.com/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - component: c:\users\home\appdata\roaming\mozilla\firefox\profiles\47wsu0uk.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\home\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\home\appdata\roaming\mozilla\plugins\npatgpc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-3-25 30272]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 13336]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-11-22 106824]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-11-28 17904]
R1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-6-1 14856]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-18 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-11-28 2996784]
R2 camsvc;TOSHIBA Web Camera Service;c:\program files\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-6-21 20544]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2009-3-19 345336]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-6-21 45056]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-6-21 38400]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-2-19 57344]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-24 176128]
R2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 73728]
R2 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-4-9 656752]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-3-20 12920]
R2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-11-22 633088]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-6-21 22272]
R3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterTSH.sys [2009-3-19 5248]
R3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetTSH.sys [2009-3-19 115200]
R3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserTSH.sys [2009-3-19 104448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-11-28 51632]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-11-29 15:22:08 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5167503b-ae86-4c84-bfcb-c19f7bfceb7f}\offreg.dll
2011-11-29 15:09:47 388096 ----a-r- c:\users\home\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-29 15:00:11 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5167503b-ae86-4c84-bfcb-c19f7bfceb7f}\mpengine.dll
2011-11-29 01:30:30 -------- d-----w- c:\users\home\DoctorWeb
2011-11-28 20:34:00 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-28 20:29:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-11-28 20:11:14 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-28 20:10:39 -------- d-----w- c:\programdata\Hitman Pro
2011-11-28 00:47:54 -------- d-----w- c:\users\home\appdata\roaming\ERS Game Studios
2011-11-27 22:23:22 -------- d-----w- C:\TEMP
2011-11-27 21:31:34 -------- d-----w- c:\program files\Dark Tales - Edgar Allan Poe's The Black Cat
2011-11-27 20:59:14 -------- d-----w- c:\programdata\Big Fish Games
2011-11-27 20:58:59 -------- d-----w- c:\program files\bfgclient
2011-11-27 20:57:41 -------- d-----w- C:\BigFishGamesCache
2011-11-23 04:44:33 -------- d-----r- c:\program files\Skype
2011-11-23 00:18:48 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-22 23:31:47 472808 ----a-w- c:\windows\system32\REN335F.tmp
2011-11-22 23:27:41 -------- d-----w- c:\program files\DealBulldog Toolbar
2011-11-22 23:04:39 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-22 22:40:52 -------- d-----w- c:\users\home\appdata\roaming\SmartPCTools
2011-11-22 19:45:05 -------- d-----w- c:\users\home\appdata\roaming\Runscanner.net
2011-11-22 19:33:50 -------- d-----w- c:\program files\Trend Micro
2011-11-22 16:03:18 141272 ----a-w- c:\windows\system32\WRusr.dll
2011-11-22 16:03:18 106824 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-11-22 16:03:18 -------- d-----w- c:\program files\Webroot
2011-11-22 16:03:15 -------- d-----w- c:\programdata\WRData
2011-11-22 14:47:02 -------- d-----w- c:\users\home\appdata\local\ElevatedDiagnostics
2011-11-18 21:44:43 -------- d-----w- c:\windows\pss
2011-11-18 20:59:13 -------- d-----w- c:\users\home\appdata\roaming\SUPERAntiSpyware.com
2011-11-18 20:57:19 -------- d-----w- c:\programdata\!SASCORE
2011-11-18 20:57:09 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-18 20:57:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-18 20:56:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-18 20:56:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 18:31:42 -------- d-----w- c:\programdata\webroot(219)
2011-11-17 19:01:03 -------- d-----w- c:\users\home\appdata\local\SlimWare Utilities Inc
2011-11-17 19:00:41 -------- d-----w- c:\program files\SlimCleaner
2011-11-17 12:36:40 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-17 04:58:42 -------- d-----w- c:\users\home\appdata\roaming\Malwarebytes
2011-11-17 04:58:25 -------- d-----w- c:\programdata\Malwarebytes
2011-11-16 20:38:01 -------- d-----w- c:\users\home\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-11-16 19:16:21 -------- d-----w- c:\programdata\STOPzilla!
2011-11-09 14:53:50 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-09 14:53:42 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 14:53:42 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-09 14:53:36 707584 ----a-w- c:\program files\common files\system\wab32.dll
.
==================== Find3M ====================
.
2011-11-28 23:42:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 22:29:26 72748 ----a-w- c:\windows\unins000.exe
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 11:13:08.53 ===============








HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:52:56 PM, on 11/22/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\MMK2\memokeys.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
user_pref("network.cookie.prefsMigrated", true);
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("signon.SignonFileName", "63250587.s");
use
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\Windows\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [TPwrMain] "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
O4 - HKLM\..\Run: [HSON] "C:\Program Files\TOSHIBA\TBS\HSON.exe"
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\Toshiba\SmoothView\SmoothView.exe"
O4 - HKLM\..\Run: [00TCrdMain] "C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe"
O4 - HKLM\..\Run: [SmartFaceVWatcher] "C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [cfFncEnabler.exe] "C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe"
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] "C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe"
O4 - HKLM\..\Run: [TosSENotify] "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe"
O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
O4 - HKLM\..\Run: [TPCHWMsg] "C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [mmkpro] C:\Program Files\MMK2\memokeys.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Home\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - (no file)
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - (no file)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: TOSHIBA Web Camera Service (camsvc) - TOSHIBA - C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxbc_device - - C:\Windows\system32\lxbccoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: TOSHIBA Modem region select service (RSELSVC) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
O23 - Service: WRSVC - Webroot - C:\Program Files\Webroot\WRSA.exe

--
End of file - 11093 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2011 - 12:35 PM

Ha ha, the word M a t s h i t a drive was automatically changed to MatBEEPa drive :D

#3 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2011 - 02:53 PM

I found two Malwarebytes logs (after the system fix attack was sort of under control, I uninstalled Malwarebytes and reinstalled it and don't know where the older, original logs are or if they still exist)...
A few days after the original attack, Malwarebytes found:

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Home\AppData\LocalLow\Sun\Java\deployment\cache\6.0\47\482b22af-48dbc91c (Trojan.Downloader.adb) -> Quarantined and deleted successfully.

After a few more days, Malwarebytes found:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Home\AppData\Local\Temp\~!#C2A6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Home\Desktop\privacy protection.lnk (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Home\AppData\Roaming\privacy.exe (Rogue.PrvacyProtect) -> Quarantined and deleted successfully.

#4 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 29 November 2011 - 03:09 PM

At one point, TDSS killer found this:

13:31:02.0486 8800 Detected object count: 1
13:31:02.0486 8800 Actual detected object count: 1
13:31:19.0804 8800 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\cdrom.sys) error 1813
13:31:21.0723 8800 Backup copy found, using it..
13:31:22.0362 8800 C:\Windows\system32\DRIVERS\cdrom.sys - will be cured on reboot
13:31:45.0765 8800 cdrom ( Rootkit.Win32.ZAccess.k ) - User select action: Cure
13:32:04.0679 8664 Deinitialize success

I don't know how to retrieve the original webroot logs (from the 'first' virus), and it may not be necessary.

I JUST NOW deleted:

C:\Windows\System32\drivers\netbt.sys (clicked on properties and it said security threat; also, the details tab was empty; no name, no copyright, etc.)


I'll stop posting now until I hear from someone... Thanks!

Edited by infiltrated :(, 30 November 2011 - 10:23 AM.


#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:10 AM

Posted 04 December 2011 - 12:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429885 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 05 December 2011 - 10:39 AM

I still need help. After the Rootkit.Win32.ZAccess.k, rogue malware, trojan etc. infections I am unsure if my system is clean now.

Here is the DDS log (GMER is running now - will post it soon):

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Home at 10:30:03 on 2011-12-05
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1259 [GMT -5:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbccoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\QUALCOMM\QDLService\QDLService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Webroot\WRSA.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\MMK2\memokeys.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uSearch Bar = Preserve
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{6FF834A3-1E15-483F-8A01-4956DFC10906}
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [<NO NAME>]
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [LtMoh] "c:\program files\ltmoh\Ltmoh.exe"
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [00TCrdMain] "c:\program files\toshiba\flashcards\TCrdMain.exe"
mRun: [SmartFaceVWatcher] "c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe"
mRun: [NDSTray.exe] "c:\program files\toshiba\configfree\NDSTray.exe"
mRun: [cfFncEnabler.exe] "c:\program files\toshiba\configfree\cfFncEnabler.exe"
mRun: [TUSBSleepChargeSrv] "c:\program files\toshiba\toshiba usb sleep and charge utility\TUSBSleepChargeSrv.exe"
mRun: [TosSENotify] "c:\program files\toshiba\toshiba hdd ssd alert\TosSENotify.exe"
mRun: [TPCHWMsg] "c:\program files\toshiba\tphm\TPCHWMsg.exe"
mRun: [WRSVC] "c:\program files\webroot\WRSA.exe" -ul
mRun: [mmkpro] c:\program files\mmk2\memokeys.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{A88983D5-1603-4234-9144-AAF180CB4BD2} : DhcpNameServer = 207.69.188.186 207.69.188.187
TCP: Interfaces\{FF3016BF-1E13-4558-BA5E-4BADEEA4896E} : DhcpNameServer = 207.69.188.186 207.69.188.187 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\47wsu0uk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.charlotteobserver.com/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - component: c:\users\home\appdata\roaming\mozilla\firefox\profiles\47wsu0uk.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\home\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\home\appdata\roaming\mozilla\plugins\npatgpc.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2009-3-25 30272]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 13336]
R0 WRkrn;WRkrn;c:\windows\system32\drivers\WRkrn.sys [2011-11-22 106824]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-11-28 17904]
R1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-6-1 14856]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-18 116608]
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-11-28 2996784]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 camsvc;TOSHIBA Web Camera Service;c:\program files\toshiba\toshiba web camera application\TWebCameraSrv.exe [2009-6-21 20544]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-18 366152]
R2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\qdlservice\QDLService.exe [2009-3-19 345336]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-6-21 45056]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-6-21 38400]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-2-19 57344]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-4-24 176128]
R2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-3-17 73728]
R2 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-4-9 656752]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-3-20 12920]
R2 WRSVC;WRSVC;c:\program files\webroot\WRSA.exe [2011-11-22 633088]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-18 22216]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-6-21 22272]
R3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\drivers\qcfilterTSH.sys [2009-3-19 5248]
R3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\drivers\qcusbnetTSH.sys [2009-3-19 115200]
R3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbserTSH.sys [2009-3-19 104448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-11-28 51632]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2011-12-03 16:08:03 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{907b8e79-abec-456b-83bc-6eb6d2c1abc0}\offreg.dll
2011-12-02 19:36:40 -------- d-----w- c:\programdata\McAfee Security Scan
2011-12-02 19:36:36 -------- d-----w- c:\program files\McAfee Security Scan
2011-12-02 18:19:21 -------- d-----w- c:\users\home\appdata\local\Solid State Networks
2011-12-02 11:50:26 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{907b8e79-abec-456b-83bc-6eb6d2c1abc0}\mpengine.dll
2011-11-29 15:09:47 388096 ----a-r- c:\users\home\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-29 01:30:30 -------- d-----w- c:\users\home\DoctorWeb
2011-11-28 20:34:00 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-28 20:29:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-11-28 20:11:14 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-28 20:10:39 -------- d-----w- c:\programdata\Hitman Pro
2011-11-28 00:47:54 -------- d-----w- c:\users\home\appdata\roaming\ERS Game Studios
2011-11-27 22:23:22 -------- d-----w- C:\TEMP
2011-11-27 21:31:34 -------- d-----w- c:\program files\Dark Tales - Edgar Allan Poe's The Black Cat
2011-11-27 20:59:14 -------- d-----w- c:\programdata\Big Fish Games
2011-11-27 20:58:59 -------- d-----w- c:\program files\bfgclient
2011-11-27 20:57:41 -------- d-----w- C:\BigFishGamesCache
2011-11-23 04:44:33 -------- d-----r- c:\program files\Skype
2011-11-23 00:18:48 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-22 23:31:47 472808 ----a-w- c:\windows\system32\REN335F.tmp
2011-11-22 23:27:41 -------- d-----w- c:\program files\DealBulldog Toolbar
2011-11-22 23:04:39 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-22 22:40:52 -------- d-----w- c:\users\home\appdata\roaming\SmartPCTools
2011-11-22 19:45:05 -------- d-----w- c:\users\home\appdata\roaming\Runscanner.net
2011-11-22 19:33:50 -------- d-----w- c:\program files\Trend Micro
2011-11-22 16:03:18 141272 ----a-w- c:\windows\system32\WRusr.dll
2011-11-22 16:03:18 106824 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-11-22 16:03:18 -------- d-----w- c:\program files\Webroot
2011-11-22 16:03:15 -------- d-----w- c:\programdata\WRData
2011-11-22 14:47:02 -------- d-----w- c:\users\home\appdata\local\ElevatedDiagnostics
2011-11-18 21:44:43 -------- d-----w- c:\windows\pss
2011-11-18 20:59:13 -------- d-----w- c:\users\home\appdata\roaming\SUPERAntiSpyware.com
2011-11-18 20:57:19 -------- d-----w- c:\programdata\!SASCORE
2011-11-18 20:57:09 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-18 20:57:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-18 20:56:14 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-18 20:56:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 18:31:42 -------- d-----w- c:\programdata\webroot(219)
2011-11-17 19:01:03 -------- d-----w- c:\users\home\appdata\local\SlimWare Utilities Inc
2011-11-17 19:00:41 -------- d-----w- c:\program files\SlimCleaner
2011-11-17 12:36:40 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-17 04:58:42 -------- d-----w- c:\users\home\appdata\roaming\Malwarebytes
2011-11-17 04:58:25 -------- d-----w- c:\programdata\Malwarebytes
2011-11-16 20:38:01 -------- d-----w- c:\users\home\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-11-16 19:16:21 -------- d-----w- c:\programdata\STOPzilla!
2011-11-09 14:53:50 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-09 14:53:42 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 14:53:42 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-09 14:53:36 707584 ----a-w- c:\program files\common files\system\wab32.dll
.
==================== Find3M ====================
.
2011-11-28 23:42:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 22:29:26 72748 ----a-w- c:\windows\unins000.exe
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 10:30:44.74 ===============
Attached File  Attach.txt   10.38KB   0 downloads

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 AM

Posted 05 December 2011 - 11:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Some variant of this infection will create a bad partition on the hard disk. Lets check it out.

  • Do the following:
  • Click on the Start button and then choose Control Panel.
  • Click on the System and Security link.

    Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  • In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  • In the Administrative Tools window, double-click on the Computer Management icon.
  • When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

#8 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 05 December 2011 - 03:10 PM

Hi nasdaq,

Thanks for your help!!! The screenshot is attached.

Attached File  DiskManagement Screenshot.png   94.77KB   7 downloads

Edited by infiltrated :(, 05 December 2011 - 03:10 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 AM

Posted 09 December 2011 - 10:18 AM

I apologize for this long delay.

If you are still with me proceed with this.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#10 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 09 December 2011 - 11:55 AM

Thank you! Here is the ComboFix log:

ComboFix 11-12-09.02 - Home 12/09/2011 11:37:26.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1777 [GMT -5:00]
Running from: c:\users\Home\Desktop\ComboFix.exe
AV: Webroot SecureAnywhere *Disabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Webroot SecureAnywhere *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRA0D0.tmp
c:\program files\DealBulldog Toolbar
c:\programdata\Roaming
c:\users\Home\AppData\Roaming\Microsoft\Windows\Recent\.complete.pif
c:\users\Home\Documents\~WRL0005.tmp
c:\users\Home\Documents\~WRL2453.tmp
c:\users\Home\g2mdlhlpx.exe
c:\windows\$NtUninstallKB29126$
c:\windows\$NtUninstallKB29126$\1373904930\@
c:\windows\$NtUninstallKB29126$\1373904930\bckfg.tmp
c:\windows\$NtUninstallKB29126$\1373904930\cfg.ini
c:\windows\$NtUninstallKB29126$\1373904930\Desktop.ini
c:\windows\$NtUninstallKB29126$\1373904930\keywords
c:\windows\$NtUninstallKB29126$\1373904930\kwrd.dll
c:\windows\$NtUninstallKB29126$\1373904930\L\qnbwvoto
c:\windows\$NtUninstallKB29126$\1373904930\lsflt7.ver
c:\windows\$NtUninstallKB29126$\1373904930\U\00000001.@
c:\windows\$NtUninstallKB29126$\1373904930\U\00000002.@
c:\windows\$NtUninstallKB29126$\1373904930\U\00000004.@
c:\windows\$NtUninstallKB29126$\1373904930\U\80000000.@
c:\windows\$NtUninstallKB29126$\1373904930\U\80000004.@
c:\windows\$NtUninstallKB29126$\1373904930\U\80000032.@
c:\windows\$NtUninstallKB29126$\1383809685
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-09 16:48 . 2011-12-09 16:48 -------- d-----w- c:\users\Home\AppData\Local\temp
2011-12-09 16:35 . 2011-12-09 16:35 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20ADEED9-1B41-4209-A338-0C00D59D6BA7}\offreg.dll
2011-12-09 13:50 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20ADEED9-1B41-4209-A338-0C00D59D6BA7}\mpengine.dll
2011-12-02 19:53 . 2011-12-02 19:53 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-02 19:38 . 2011-12-02 19:38 -------- d-----w- c:\program files\Common Files\Adobe
2011-12-02 19:37 . 2011-12-02 19:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-02 18:19 . 2011-12-02 19:50 -------- d-----w- c:\users\Home\AppData\Local\Solid State Networks
2011-11-29 15:09 . 2011-11-29 15:09 388096 ----a-r- c:\users\Home\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-29 01:30 . 2011-11-29 01:30 -------- d-----w- c:\users\Home\DoctorWeb
2011-11-28 20:34 . 2011-12-06 20:34 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-28 20:29 . 2011-11-28 20:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-11-28 20:11 . 2011-12-06 15:44 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-28 20:10 . 2011-11-28 20:29 -------- d-----w- c:\programdata\Hitman Pro
2011-11-28 00:47 . 2011-11-28 00:47 -------- d-----w- c:\users\Home\AppData\Roaming\ERS Game Studios
2011-11-27 22:23 . 2011-12-01 18:31 -------- d-----w- C:\TEMP
2011-11-27 21:31 . 2011-11-27 21:33 -------- d-----w- c:\program files\Dark Tales - Edgar Allan Poe's The Black Cat
2011-11-27 20:59 . 2011-11-27 20:59 -------- d-----w- c:\programdata\Big Fish Games
2011-11-27 20:58 . 2011-11-27 20:59 -------- d-----w- c:\program files\bfgclient
2011-11-27 20:57 . 2011-11-28 00:47 -------- d-----w- C:\BigFishGamesCache
2011-11-23 04:44 . 2011-11-23 04:44 -------- d-----r- c:\program files\Skype
2011-11-22 23:31 . 2011-11-22 23:31 472808 ----a-w- c:\windows\system32\REN335F.tmp
2011-11-22 23:04 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-22 22:40 . 2011-11-22 22:40 -------- d-----w- c:\users\Home\AppData\Roaming\SmartPCTools
2011-11-22 19:45 . 2011-11-22 19:45 -------- d-----w- c:\users\Home\AppData\Roaming\Runscanner.net
2011-11-22 19:33 . 2011-11-22 19:33 -------- d-----w- c:\program files\Trend Micro
2011-11-22 16:03 . 2011-12-09 16:17 141272 ----a-w- c:\windows\system32\WRusr.dll
2011-11-22 16:03 . 2011-12-09 16:17 107336 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-11-22 16:03 . 2011-12-09 15:12 -------- d-----w- c:\program files\Webroot
2011-11-22 16:03 . 2011-12-08 16:13 -------- d-----w- c:\programdata\WRData
2011-11-22 14:47 . 2011-11-22 14:47 -------- d-----w- c:\users\Home\AppData\Local\ElevatedDiagnostics
2011-11-18 20:59 . 2011-11-18 20:59 -------- d-----w- c:\users\Home\AppData\Roaming\SUPERAntiSpyware.com
2011-11-18 20:57 . 2011-11-18 20:57 -------- d-----w- c:\programdata\!SASCORE
2011-11-18 20:57 . 2011-11-18 21:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-18 20:57 . 2011-11-18 20:57 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-18 20:56 . 2011-11-18 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 20:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-18 18:38 . 2011-11-18 18:39 -------- d-----w- c:\users\pizza
2011-11-18 18:31 . 2011-11-18 18:31 -------- d-----w- c:\programdata\webroot(219)
2011-11-17 19:01 . 2011-11-17 19:01 -------- d-----w- c:\users\Home\AppData\Local\SlimWare Utilities Inc
2011-11-17 19:00 . 2011-11-18 18:29 -------- d-----w- c:\program files\SlimCleaner
2011-11-17 12:36 . 2011-11-17 20:12 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-17 04:58 . 2011-11-17 04:58 -------- d-----w- c:\users\Home\AppData\Roaming\Malwarebytes
2011-11-17 04:58 . 2011-11-17 04:58 -------- d-----w- c:\programdata\Malwarebytes
2011-11-16 20:38 . 2011-11-16 20:38 -------- d-----w- c:\users\Home\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-11-16 19:16 . 2011-11-18 19:48 -------- d-----w- c:\programdata\STOPzilla!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 23:42 . 2011-05-18 10:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 22:29 . 2002-02-10 06:00 72748 ----a-w- c:\windows\unins000.exe
2011-10-03 10:06 . 2010-08-23 03:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-20 21:02 . 2011-11-09 14:53 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-20 13:44 . 2011-11-09 14:53 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-21 04:04 . 2011-11-23 04:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-04-03 233472]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 163840]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-28 252288]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 1011712]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-09 570736]
"mmkpro"="c:\program files\MMK2\memokeys.exe" [2003-08-24 472576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2011-12-09 637208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
OnlyWire.LNK - c:\program files\OnlyWire\OnlyWireWindows.exe [2011-9-20 44456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Home^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-04-10 21:54 200704 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-26 23:04 135664 ----atw- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-13 21:02 150040 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 22:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
2009-04-10 21:54 143360 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-18 20:59 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WRSVC]
2011-12-09 15:12 637208 ----a-w- c:\program files\Webroot\WRSA.exe
.
R0 52586643;52586643;c:\windows\system32\drivers\26595850.sys [x]
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-11-02 51632]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-03-26 30272]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 13336]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys [2011-12-09 107336]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
S1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-04-23 14856]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-11-18 116608]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-11-16 2996784]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-16 537520]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-03-19 345336]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-02-12 45056]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-01-14 38400]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-24 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-09 656752]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-12-09 637208]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]
S3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\DRIVERS\qcfilterTSH.sys [2009-03-19 5248]
S3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\DRIVERS\qcusbnetTSH.sys [2009-03-19 115200]
S3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbserTSH.sys [2009-03-19 104448]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4117445786-1006973776-1307653751-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-26 23:04]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4117445786-1006973776-1307653751-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-26 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{6FF834A3-1E15-483F-8A01-4956DFC10906}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187 192.168.1.1
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\47wsu0uk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.charlotteobserver.com/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-52586643.sys
MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 11:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{043C5167-00BB-4324-AF7E-62013FAEDACF}"=hex:51,66,7a,6c,4c,1d,38,12,09,52,2f,
00,89,4e,4a,06,d0,68,21,41,3a,f0,9e,db
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:16,67,33,60,20,f9,cb,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-09 11:51:47
ComboFix-quarantined-files.txt 2011-12-09 16:51
.
Pre-Run: 76,580,253,696 bytes free
Post-Run: 76,527,394,816 bytes free
.
- - End Of File - - 3D0F8F49BEC9048929DA39944D93D465

#11 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 09 December 2011 - 12:00 PM

ComboFix reported that zero.access rootkit has affected the tcp/ip stack. - I will run it again...
Here is the 'second' log:

ComboFix 11-12-09.02 - Home 12/09/2011 12:15:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3034.1825 [GMT -5:00]
Running from: c:\users\Home\Desktop\ComboFix.exe
AV: Webroot SecureAnywhere *Disabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Webroot SecureAnywhere *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-09 17:24 . 2011-12-09 17:24 -------- d-----w- c:\users\Home\AppData\Local\temp
2011-12-09 17:24 . 2011-12-09 17:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-09 13:50 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20ADEED9-1B41-4209-A338-0C00D59D6BA7}\mpengine.dll
2011-12-02 19:53 . 2011-12-02 19:53 -------- d-----w- c:\program files\Microsoft Silverlight
2011-12-02 19:38 . 2011-12-02 19:38 -------- d-----w- c:\program files\Common Files\Adobe
2011-12-02 19:37 . 2011-12-02 19:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-12-02 18:19 . 2011-12-02 19:50 -------- d-----w- c:\users\Home\AppData\Local\Solid State Networks
2011-11-29 15:09 . 2011-11-29 15:09 388096 ----a-r- c:\users\Home\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-29 01:30 . 2011-11-29 01:30 -------- d-----w- c:\users\Home\DoctorWeb
2011-11-28 20:34 . 2011-12-06 20:34 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-11-28 20:29 . 2011-11-28 20:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-11-28 20:11 . 2011-12-06 15:44 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-11-28 20:10 . 2011-11-28 20:29 -------- d-----w- c:\programdata\Hitman Pro
2011-11-28 00:47 . 2011-11-28 00:47 -------- d-----w- c:\users\Home\AppData\Roaming\ERS Game Studios
2011-11-27 22:23 . 2011-12-01 18:31 -------- d-----w- C:\TEMP
2011-11-27 21:31 . 2011-11-27 21:33 -------- d-----w- c:\program files\Dark Tales - Edgar Allan Poe's The Black Cat
2011-11-27 20:59 . 2011-11-27 20:59 -------- d-----w- c:\programdata\Big Fish Games
2011-11-27 20:58 . 2011-11-27 20:59 -------- d-----w- c:\program files\bfgclient
2011-11-27 20:57 . 2011-11-28 00:47 -------- d-----w- C:\BigFishGamesCache
2011-11-23 04:44 . 2011-11-23 04:44 -------- d-----r- c:\program files\Skype
2011-11-22 23:31 . 2011-11-22 23:31 472808 ----a-w- c:\windows\system32\REN335F.tmp
2011-11-22 23:04 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-11-22 22:40 . 2011-11-22 22:40 -------- d-----w- c:\users\Home\AppData\Roaming\SmartPCTools
2011-11-22 19:45 . 2011-11-22 19:45 -------- d-----w- c:\users\Home\AppData\Roaming\Runscanner.net
2011-11-22 19:33 . 2011-11-22 19:33 -------- d-----w- c:\program files\Trend Micro
2011-11-22 16:03 . 2011-12-09 16:17 141272 ----a-w- c:\windows\system32\WRusr.dll
2011-11-22 16:03 . 2011-12-09 16:17 107336 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2011-11-22 16:03 . 2011-12-09 15:12 -------- d-----w- c:\program files\Webroot
2011-11-22 16:03 . 2011-12-08 16:13 -------- d-----w- c:\programdata\WRData
2011-11-22 14:47 . 2011-11-22 14:47 -------- d-----w- c:\users\Home\AppData\Local\ElevatedDiagnostics
2011-11-18 20:59 . 2011-11-18 20:59 -------- d-----w- c:\users\Home\AppData\Roaming\SUPERAntiSpyware.com
2011-11-18 20:57 . 2011-11-18 20:57 -------- d-----w- c:\programdata\!SASCORE
2011-11-18 20:57 . 2011-11-18 21:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-18 20:57 . 2011-11-18 20:57 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-18 20:56 . 2011-11-18 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 20:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-18 18:38 . 2011-11-18 18:39 -------- d-----w- c:\users\pizza
2011-11-18 18:31 . 2011-11-18 18:31 -------- d-----w- c:\programdata\webroot(219)
2011-11-17 19:01 . 2011-11-17 19:01 -------- d-----w- c:\users\Home\AppData\Local\SlimWare Utilities Inc
2011-11-17 19:00 . 2011-11-18 18:29 -------- d-----w- c:\program files\SlimCleaner
2011-11-17 12:36 . 2011-11-17 20:12 -------- d-----w- c:\program files\Free Window Registry Repair
2011-11-17 04:58 . 2011-11-17 04:58 -------- d-----w- c:\users\Home\AppData\Roaming\Malwarebytes
2011-11-17 04:58 . 2011-11-17 04:58 -------- d-----w- c:\programdata\Malwarebytes
2011-11-16 20:38 . 2011-11-16 20:38 -------- d-----w- c:\users\Home\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-11-16 19:16 . 2011-11-18 19:48 -------- d-----w- c:\programdata\STOPzilla!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 23:42 . 2011-05-18 10:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 22:29 . 2002-02-10 06:00 72748 ----a-w- c:\windows\unins000.exe
2011-10-03 10:06 . 2010-08-23 03:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-20 21:02 . 2011-11-09 14:53 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-09-20 13:44 . 2011-11-09 14:53 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-21 04:04 . 2011-11-23 04:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-07-03 135680]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-13 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-13 154136]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-04-03 233472]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-03-07 468320]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2009-03-09 55160]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-12-18 448376]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-03-23 729088]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-03-25 163840]
"NDSTray.exe"="c:\program files\TOSHIBA\ConfigFree\NDSTray.exe" [2009-05-13 299008]
"cfFncEnabler.exe"="c:\program files\TOSHIBA\ConfigFree\cfFncEnabler.exe" [2009-03-24 16384]
"TUSBSleepChargeSrv"="c:\program files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe" [2009-03-28 252288]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe" [2009-04-24 1011712]
"TPCHWMsg"="c:\program files\TOSHIBA\TPHM\TPCHWMsg.exe" [2009-04-09 570736]
"mmkpro"="c:\program files\MMK2\memokeys.exe" [2003-08-24 472576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2011-12-09 637208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
OnlyWire.LNK - c:\program files\OnlyWire\OnlyWireWindows.exe [2011-9-20 44456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Home^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-04-10 21:54 200704 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-26 23:04 135664 ----atw- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-13 21:02 150040 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-07-19 22:29 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 22:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMAgent]
2009-04-10 21:54 143360 ------w- c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-18 20:59 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WRSVC]
2011-12-09 15:12 637208 ----a-w- c:\program files\Webroot\WRSA.exe
.
R0 52586643;52586643;c:\windows\system32\drivers\26595850.sys [x]
R0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [x]
R0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys [x]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-12-09 637208]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-11-02 51632]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-03-26 30272]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2007-09-04 13336]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys [2011-12-09 107336]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
S1 PMCF;PMCF;c:\windows\system32\drivers\PMCF.sys [2009-04-23 14856]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-11-18 116608]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-11-16 2996784]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 camsvc;TOSHIBA Web Camera Service;c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe [2009-04-17 20544]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe [2007-03-16 537520]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 QDLService;Qualcomm Gobi Download Service;c:\qualcomm\QDLService\QDLService.exe [2009-03-19 345336]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-02-12 45056]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-01-14 38400]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-02-19 57344]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-04-24 176128]
S2 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-03-17 73728]
S2 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-04-09 656752]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-03-21 12920]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-03-18 22272]
S3 qcfilterTSH;Toshiba USB Composite Device Filter Driver;c:\windows\system32\DRIVERS\qcfilterTSH.sys [2009-03-19 5248]
S3 qcusbnetTSH;Toshiba USB-NDIS miniport;c:\windows\system32\DRIVERS\qcusbnetTSH.sys [2009-03-19 115200]
S3 qcusbserTSH;Toshiba USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbserTSH.sys [2009-03-19 104448]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4117445786-1006973776-1307653751-1000Core.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-26 23:04]
.
2011-12-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4117445786-1006973776-1307653751-1000UA.job
- c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-26 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{6FF834A3-1E15-483F-8A01-4956DFC10906}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
TCP: DhcpNameServer = 207.69.188.186 207.69.188.187 192.168.1.1
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\47wsu0uk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.charlotteobserver.com/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
------- File Associations -------
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-09 12:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{043C5167-00BB-4324-AF7E-62013FAEDACF}"=hex:51,66,7a,6c,4c,1d,38,12,09,52,2f,
00,89,4e,4a,06,d0,68,21,41,3a,f0,9e,db
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:16,67,33,60,20,f9,cb,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-09 12:26:39
ComboFix-quarantined-files.txt 2011-12-09 17:26
ComboFix2.txt 2011-12-09 16:51
.
Pre-Run: 76,455,026,688 bytes free
Post-Run: 76,426,084,352 bytes free
.
- - End Of File - - E23A28A0FE747EDB28C0F9B740FD6ACD

Edited by infiltrated :(, 09 December 2011 - 12:30 PM.


#12 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 09 December 2011 - 02:28 PM

GMER scan keeps crashing. I took a screenshot right before it happens - when it is scanning \device\harddiskVolumeShadowCopy1

I don't like the name of that... screenshot of GMER log attached.

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 AM

Posted 09 December 2011 - 03:58 PM

Please let me know if the internet connection is back.


We may have to do a Windows repair.

Do you have the Windows Vista CD or the Setup cd you received with your computer or made when you first got your new computer.

#14 infiltrated :(

infiltrated :(
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 09 December 2011 - 04:39 PM

Yes, I have internet now. (Several days ago, the internet wouldn't work - tried resetting and messing with winsock, dns, IPv4 stuff - nothing worked; then I did a system restore in safe mode, and internet has worked ever since...)

I have two Microsoft disks here that I paid $279.99 for: microsoft office small business 2007. There is a product key code. The cover says 'UPGRADE - for existing users of one of the Microsoft products listed on the side panel [microsoft works]- - - Are those the correct CDs?

Edited by infiltrated :(, 09 December 2011 - 05:48 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,507 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 AM

Posted 10 December 2011 - 10:11 AM

Now that you have Internet connection after a using a Restore point what issues are you having with this computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users