Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Security 2012 popping up and blocking everything


  • This topic is locked This topic is locked
85 replies to this topic

#1 ajsmom

ajsmom

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 23 December 2011 - 04:16 PM

While checking email, the Vista Security 2012 attacked my computer. I at first shut everything down and restarted. This did nothing good, so tried to do a restore from last week, hoping to remove the problem that way. No dice...the restore would not complete. Came to BC and found and followed the directions for removal of Vista Security 2012. After the first time, nothing seemed changed, so followed all the steps again. Now my computer boots, goes into windows, but my screen is black and only has the 'my computer' icon showing. Get MANY messages about virus attacks, delayed write failures, files indexation failures, hard drive clusters damaged, etc. I am REALLY hoping these are all fake alerts...I am sending this post from a different computer, so no problem there. Thanks in advance for any help you can offer!

Here are the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 12:25:27 on 2011-12-23
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.109 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Mamutu\a2service.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\system32\lxbacoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\RioMSC.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\rstrui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Mamutu\mamutu.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sticky Password\stpass.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\sBqDkHtcpJbcHA.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\ProgramData\knbYYLeraf0Eww.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PerfectClock2007] "c:\program files\perfectclock\perfectClock2007.exe"
uRun: [StickyPassword] c:\program files\sticky password\stpass.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [sBqDkHtcpJbcHA.exe] c:\programdata\sBqDkHtcpJbcHA.exe
uRun: [{734C84D7-6954-2B24-4F30-82BE5F409E40}] c:\users\owner\appdata\roaming\ytazxil\lozena.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Mamutu Guard] "c:\program files\mamutu\mamutu.exe" /silent
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8BA03FEA-20F6-40FA-A6CA-D841A018D808} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C4DFE287-BDD1-4878-8213-056EA247454C} : DhcpNameServer = 68.105.28.16 208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\v9woie38.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071706000001.dll
.
============= SERVICES / DRIVERS ===============
.
R1 a2injectiondriver;a2injectiondriver;c:\program files\mamutu\a2dix86.sys [2011-7-14 34768]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\mamutu\a2util32.sys [2011-7-14 11776]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-6 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-6 66616]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R3 a2acc;a2acc;c:\program files\mamutu\a2accx86.sys [2011-7-14 51632]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-1-12 13224]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [2011-10-28 163616]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-1-12 15656]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-12-23 16:46:02 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d947ec15-58d0-4f8b-aa7e-f4aee79f9e41}\offreg.dll
2011-12-23 13:49:53 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d947ec15-58d0-4f8b-aa7e-f4aee79f9e41}\mpengine.dll
2011-12-23 05:41:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-23 04:23:25 371712 ---ha-w- c:\programdata\knbYYLeraf0Eww.exe
2011-12-23 03:43:44 371712 ---ha-w- c:\programdata\U6xEgVk95NMB9K.exe
2011-12-23 02:59:05 371712 ---ha-w- c:\programdata\DceeFxadZo33M6.exe
2011-12-22 23:26:08 462848 ---ha-w- c:\programdata\sBqDkHtcpJbcHA.exe
2011-12-22 23:22:26 -------- d--h--w- c:\users\owner\appdata\roaming\Ytazxil
2011-12-22 23:22:26 -------- d--h--w- c:\users\owner\appdata\roaming\Tedyus
2011-12-22 15:40:05 -------- d-----w- c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP
2011-12-20 03:07:12 -------- d--h--w- c:\users\owner\appdata\local\Tipard Studio
2011-12-20 03:06:36 -------- d--h--w- c:\programdata\Tipard Studio
2011-12-20 03:06:36 -------- d-----w- c:\program files\Tipard Studio
2011-12-11 07:16:21 -------- d--h--w- c:\users\owner\appdata\roaming\ElementalsTheMagicKey
2011-12-11 07:15:15 -------- d-----w- c:\program files\Playrix Entertainment
2011-12-10 05:44:35 -------- d--h--w- c:\users\owner\appdata\roaming\FaceOffMax
2011-12-10 05:44:35 -------- d--h--w- c:\programdata\FaceOffMax
2011-12-10 05:43:58 -------- d-----w- c:\program files\FaceOffMax
2011-12-09 05:34:30 -------- d-----w- c:\program files\iPod
2011-12-09 05:34:09 -------- d-----w- c:\program files\iTunes
2011-12-06 04:47:20 -------- d--h--w- c:\users\owner\appdata\roaming\NeoDownloader
2011-12-06 04:47:20 -------- d-----w- c:\program files\NeoDownloader
2011-12-02 03:36:42 -------- d-----w- c:\program files\Photoupz
2011-11-28 12:46:15 -------- d--h--w- c:\users\owner\appdata\local\Mozilla
.
==================== Find3M ====================
.
2011-12-16 21:18:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-29 02:33:40 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 12:30:10.49 ===============

Attached Files


Edited by ajsmom, 23 December 2011 - 04:19 PM.


BC AdBot (Login to Remove)

 


#2 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 29 December 2011 - 11:52 AM

It's been a while, and I have tried to work on this problem, so wanted to update with what I have done. First I searched through the other threads to find a similar issue with someone else. I did find a very similar case, and it appears that Gringo was able to help that person correct the problem. I followed many of the directions suggested to the other poster, and have finally been able to stop the constant barage of fake virus notifications. I downloaded and ran the Avira Rescue CD. It found 32 infections and cleaned those. I also have run the typical Avira scan and MalWareBytes several times and now have no issues showing when I run them. I cleaned out my temp files with TFC. The virus part appears to be gone, but I am still having a few issues. The main issue is that my desktop is a black, empty screen. I can click on the start and my programs show, as does the control panel, etc, as it should, but the main desktop is blank. Anyone care to help me with this??? Thanks in advance!

Lisa

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 29 December 2011 - 07:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434216 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 02 January 2012 - 07:09 AM

Thank you, thank you for finally getting to me. I am about to go crazy with this! As stated before, this all started with the Vista Security 2012 bug. I tried the removal guide here on BC, but it did not help. I noticed that many seemed to be suffering from the same problem, so followed the advice on another thread, and I have stopped the continual pop up of the warnings and scans. I have run Avira and MalwareBytes several times and allowed them to fix any problems they found.

Now my problem is that my desktop icons are gone, and when I click on start, my programs will show, but nothing except 'My Computer' shows in the listing on the right side. I don't have 'Control Panel', etc. I know they are still there, because I can click 'My Computer' and then 'Desktop' and 'Control Panel' will be there, but is doesn't show where it should. My desktop is black and only shows 'My Computer'. When I tried to re-run the scans for this post, I knew that I had downloaded the programs when I first posted, but could not find them anywhere. So, I clicked on the links to download them again, and it said I already had that, did I want to overwrite? I clicked yes and is would not allow it. So, I changed the name by adding the date, and it saved to my desktop. My question is will I still be able to see it after I reboot. Another problem is that one of my 'Users' has disappeared. It has always had the 'Users' folder containing 'Public' and 'Owner'. Owner is gone. I think my personal files are still there, I sure hope they are, but I can't see them at all and can not access them. Properties for my C drive still show the same about of space used and free as before and I noticed during the GMER scan that the names of my files were showing, that is my reason to think nothing is really gone. I am completely stumped and don't know what I should do. I am running Vista Home Version. I sincerely appreciate any assistance you can give me, and will do my best to follow your instructions carefully and completely.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 1:00:05 on 2012-01-02
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.297 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Mamutu\a2service.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\system32\lxbacoms.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\RioMSC.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Mamutu\mamutu.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sticky Password\stpass.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [PerfectClock2007] "c:\program files\perfectclock\perfectClock2007.exe"
uRun: [StickyPassword] c:\program files\sticky password\stpass.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Mamutu Guard] "c:\program files\mamutu\mamutu.exe" /silent
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{8BA03FEA-20F6-40FA-A6CA-D841A018D808} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C4DFE287-BDD1-4878-8213-056EA247454C} : DhcpNameServer = 68.105.28.16 208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\v9woie38.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071706000001.dll
.
============= SERVICES / DRIVERS ===============
.
R1 a2injectiondriver;a2injectiondriver;c:\program files\mamutu\a2dix86.sys [2011-7-14 34768]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\mamutu\a2util32.sys [2011-7-14 11776]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-6 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-6 66616]
R3 a2acc;a2acc;c:\program files\mamutu\a2accx86.sys [2011-7-14 51632]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [2011-10-28 163616]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
.
=============== Created Last 30 ================
.
2012-01-02 02:10:21 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{155a303d-36f6-4452-baab-0a86fc019f1f}\offreg.dll
2012-01-02 02:10:07 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{155a303d-36f6-4452-baab-0a86fc019f1f}\mpengine.dll
2011-12-28 00:35:55 -------- d-----w- C:\emb files from thumb
2011-12-22 23:22:26 -------- d--h--w- c:\users\owner\appdata\roaming\Ytazxil
2011-12-22 23:22:26 -------- d--h--w- c:\users\owner\appdata\roaming\Tedyus
2011-12-20 03:07:12 -------- d--h--w- c:\users\owner\appdata\local\Tipard Studio
2011-12-20 03:06:36 -------- d--h--w- c:\programdata\Tipard Studio
2011-12-20 03:06:36 -------- d-----w- c:\program files\Tipard Studio
2011-12-11 07:16:21 -------- d--h--w- c:\users\owner\appdata\roaming\ElementalsTheMagicKey
2011-12-11 07:15:15 -------- d-----w- c:\program files\Playrix Entertainment
2011-12-10 05:44:35 -------- d--h--w- c:\users\owner\appdata\roaming\FaceOffMax
2011-12-10 05:44:35 -------- d--h--w- c:\programdata\FaceOffMax
2011-12-10 05:43:58 -------- d-----w- c:\program files\FaceOffMax
2011-12-09 05:34:30 -------- d-----w- c:\program files\iPod
2011-12-09 05:34:09 -------- d-----w- c:\program files\iTunes
2011-12-06 04:47:20 -------- d--h--w- c:\users\owner\appdata\roaming\NeoDownloader
2011-12-06 04:47:20 -------- d-----w- c:\program files\NeoDownloader
.
==================== Find3M ====================
.
2011-12-16 21:18:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 02:33:40 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys
2011-10-24 18:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 1:02:37.49 ===============

Attached Files



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 02 January 2012 - 08:07 AM

Hello, .
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1


FIrst, I see you have the Upromise toolbar. Be forewarned that this is a tracking toolbar and I highly suggest you remove it.



Step 2



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 02 January 2012 - 07:09 PM

Hello etavares, and thank you for your time and attention. I have downloaded and run Combofix, and thankfully, after it finished most of my desktop icons have reappeared. There are several that seem to have 2 copies now, and my Firefox icon did not reappear, but most everything seems normal. Several icons reappeared that I had deleted a while back??? My desktop is still black, I normally have a custom background. That's not a big deal, but just letting you know it's still different. When I click 'start', the list on the right side is back, but I don't think it shows everything it used to. Not positive about that, but there are some skipped spaces that I don't remember from before. Looks like my internet favorites list is back, although they appear to be rearranged in a different order.

You mentioned removing the Upromise toolbar, is there a thread showing how to do that? I am not sure how I got it in the first place, and have tried before to remove it, but it seems to reappear.

Here is the log from Combofix, and I will await your next directions. Thanks!


ComboFix 12-01-02.01 - Owner 01/02/2012 16:30:23.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.224 [GMT -5:00]
Running from: c:\users\Owner\Desktop\etavaresCF.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~knbYYLeraf0Eww
c:\programdata\~knbYYLeraf0Ewwr
c:\programdata\knbYYLeraf0Eww
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 21:51 . 2012-01-02 21:54 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-01-02 21:51 . 2012-01-02 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 06:12 . 2012-01-02 06:12 -------- d-----w- C:\gmer
2012-01-02 02:10 . 2012-01-02 02:10 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{155A303D-36F6-4452-BAAB-0A86FC019F1F}\offreg.dll
2012-01-02 02:10 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{155A303D-36F6-4452-BAAB-0A86FC019F1F}\mpengine.dll
2012-01-01 03:02 . 2012-01-01 03:02 -------- d-----w- c:\users\Owner\AppData\Roaming\HPAppData
2011-12-28 00:35 . 2011-12-28 00:38 -------- d-----w- C:\emb files from thumb
2011-12-22 23:22 . 2011-12-23 13:59 -------- d--h--w- c:\users\Owner\AppData\Roaming\Ytazxil
2011-12-22 23:22 . 2011-12-22 23:35 -------- d--h--w- c:\users\Owner\AppData\Roaming\Tedyus
2011-12-20 03:07 . 2011-12-20 03:07 -------- d--h--w- c:\users\Owner\AppData\Local\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d--h--w- c:\programdata\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d-----w- c:\program files\Tipard Studio
2011-12-11 07:16 . 2011-12-11 07:16 -------- d--h--w- c:\users\Owner\AppData\Roaming\ElementalsTheMagicKey
2011-12-11 07:15 . 2011-12-11 07:15 -------- d-----w- c:\program files\Playrix Entertainment
2011-12-10 05:44 . 2011-12-23 16:29 -------- d--h--w- c:\users\Owner\AppData\Roaming\FaceOffMax
2011-12-10 05:44 . 2011-12-10 05:57 -------- d--h--w- c:\programdata\FaceOffMax
2011-12-10 05:43 . 2011-12-11 14:31 -------- d-----w- c:\program files\FaceOffMax
2011-12-09 05:34 . 2011-12-09 05:34 -------- d-----w- c:\program files\iPod
2011-12-09 05:34 . 2011-12-09 05:35 -------- d-----w- c:\program files\iTunes
2011-12-06 04:47 . 2011-12-06 04:47 -------- d--h--w- c:\users\Owner\AppData\Roaming\NeoDownloader
2011-12-06 04:47 . 2011-12-06 04:47 -------- d-----w- c:\program files\NeoDownloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 06:10 . 2012-01-02 06:10 294216 ----a-w- C:\gmer.zip
2011-12-16 21:18 . 2011-11-16 05:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2009-08-31 01:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 02:33 . 2011-10-29 02:33 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-11-21 04:04 . 2011-11-28 12:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PerfectClock2007"="c:\program files\PerfectClock\perfectClock2007.exe" [2010-08-10 905728]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2010-08-25 3052376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Mamutu Guard"="c:\program files\MAMUTU\mamutu.exe" [2011-11-04 4307320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [2011-10-29 163616]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 19456]
R3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Mamutu\a2dix86.sys [2011-11-03 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Mamutu\a2util32.sys [2010-05-05 11776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 32256]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe [2007-04-25 537520]
S2 Mamutu;Mamutu Service;c:\program files\Mamutu\a2service.exe [2011-07-08 2978720]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-07-15 4408616]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 112936]
S3 a2acc;a2acc;c:\program files\MAMUTU\a2accx86.sys [2011-11-03 51632]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2009-02-26 47360]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-05-20 13224]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uwloapow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\v9woie38.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 16:54
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*¿*Z%\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-01-02 17:26:44
ComboFix-quarantined-files.txt 2012-01-02 22:26
.
Pre-Run: 13,575,204,864 bytes free
Post-Run: 13,249,105,920 bytes free
.
- - End Of File - - 2C4DE6DD2946BEE751AA31DB2F10C6CC

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 03 January 2012 - 06:46 AM

Hello, ajsmom.

Not much we can do about the remaining icons, but we'll try unhide. Can you set your desktop back to the picture?

In regards to the Upromise toolbar, we can manually remove it, but first, try to remove it by going to Add/Remove Programs int he Control Panel, then uninstalling UPromise.





Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

Folder::
c:\users\Owner\AppData\Roaming\Ytazxil
c:\users\Owner\AppData\Roaming\Tedyus
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2


Please download unhide.exe and save it to your desktop. Double-click unhide.exe to run it.

You should see your files, start menu items and Internet Explorer favorites return. If you do not, please let me know in your reply. It is important to check, as other steps as we clean your computer may mean we delete your start menu items and favorites unreturnable. (Your files would still be fine, though).


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 03 January 2012 - 10:28 PM

First thing that I did was remove the Upromise toolbar. I did it through add/remove programs like you suggested, and it appears to have worked. Hopefully it wont pop back up again!

The next thing that I did was to try to copy the codebox text you provided into Notepad. When I clicked on start and then accessories then notepad, I got an error message saying "The item 'notepad.exe' that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly. Then it asked me if I wanted to delete the shortcut. I worked around this by locating notepad in my C drive and doing it that way. Ran the combofix again, doing it just as you requested. Here is the log:

ComboFix 12-01-03.07 - Owner 01/03/2012 20:45:47.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.310 [GMT -5:00]
Running from: c:\users\Owner\Desktop\etavaresCF.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Roaming\Tedyus
c:\users\Owner\AppData\Roaming\Ytazxil
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 02:06 . 2012-01-04 02:07 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-01-04 02:06 . 2012-01-04 02:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-04 00:05 . 2012-01-04 00:05 -------- d-----w- c:\users\Owner\AppData\Roaming\HPAppData
2012-01-03 00:31 . 2012-01-03 00:31 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{155A303D-36F6-4452-BAAB-0A86FC019F1F}\offreg.dll
2012-01-02 21:23 . 2012-01-02 22:27 -------- d-----w- C:\etavaresCF
2012-01-02 06:12 . 2012-01-02 06:12 -------- d-----w- C:\gmer
2012-01-02 02:10 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{155A303D-36F6-4452-BAAB-0A86FC019F1F}\mpengine.dll
2011-12-28 00:35 . 2011-12-28 00:38 -------- d-----w- C:\emb files from thumb
2011-12-20 03:07 . 2011-12-20 03:07 -------- d-----w- c:\users\Owner\AppData\Local\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d-----w- c:\programdata\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d-----w- c:\program files\Tipard Studio
2011-12-11 07:16 . 2011-12-11 07:16 -------- d-----w- c:\users\Owner\AppData\Roaming\ElementalsTheMagicKey
2011-12-11 07:15 . 2011-12-11 07:15 -------- d-----w- c:\program files\Playrix Entertainment
2011-12-10 05:44 . 2011-12-23 16:29 -------- d-----w- c:\users\Owner\AppData\Roaming\FaceOffMax
2011-12-10 05:44 . 2011-12-10 05:57 -------- d-----w- c:\programdata\FaceOffMax
2011-12-10 05:43 . 2011-12-11 14:31 -------- d-----w- c:\program files\FaceOffMax
2011-12-09 05:34 . 2011-12-09 05:34 -------- d-----w- c:\program files\iPod
2011-12-09 05:34 . 2011-12-09 05:35 -------- d-----w- c:\program files\iTunes
2011-12-06 04:47 . 2011-12-06 04:47 -------- d-----w- c:\users\Owner\AppData\Roaming\NeoDownloader
2011-12-06 04:47 . 2011-12-06 04:47 -------- d-----w- c:\program files\NeoDownloader
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 06:10 . 2012-01-02 06:10 294216 ----a-w- C:\gmer.zip
2011-12-16 21:18 . 2011-11-16 05:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2009-08-31 01:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 02:33 . 2011-10-29 02:33 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-11-21 04:04 . 2011-11-28 12:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PerfectClock2007"="c:\program files\PerfectClock\perfectClock2007.exe" [2010-08-10 905728]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2010-08-25 3052376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Mamutu Guard"="c:\program files\MAMUTU\mamutu.exe" [2011-11-04 4307320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
S1 a2injectiondriver;a2injectiondriver;c:\program files\Mamutu\a2dix86.sys [2011-11-03 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Mamutu\a2util32.sys [2010-05-05 11776]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
S3 a2acc;a2acc;c:\program files\MAMUTU\a2accx86.sys [2011-11-03 51632]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\v9woie38.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 21:07
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*¿*Z%\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3864)
c:\program files\Sticky Password\spCapBtn.dll
.
Completion time: 2012-01-03 21:15:28
ComboFix-quarantined-files.txt 2012-01-04 02:15
ComboFix2.txt 2012-01-02 22:26
.
Pre-Run: 12,885,606,400 bytes free
Post-Run: 12,881,948,672 bytes free
.
- - End Of File - - 4B228CE190A6307D8E1A9ABF5FC3A81C


I have downloaded, but not run the unhide program, so will do that now and report back when complete.

Thanks!!!
Lisa

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 04 January 2012 - 06:18 AM

Any luck with unhide? IN regards to the Notepad.exe, right-click the start menu and choose Open. Navigate to Accessories and delete the shortcut to Notepad. Open My Computer and navigate to where notepad is. Right-click notepad.exe and drag it into the start menu window you had open where you just deleted Notepad then let go of the mouse button. A menu will pop up. Select create shortcut and a new notepad.exe shortcut will appear.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 04 January 2012 - 11:28 PM

Hello! I am so sorry that I was not able to get back to you sooner on the unhide stuff. We had terrible wind storms last night and this morning, and our power kept going off. Each time I would start the program running, the power would flick off and then I would have to start it over. FINALLY, it finished and I think everything is ok. It did not put back several of my desktop icons (I have noticed these are specialized programs that I use, such as an embroidery program, photoshop, dvd making software) I can always add the icons back to the desktop, so that isn't really a problem. I included a screen shot of my start menu. I think that is about how it normally looks, but can't be positive. Let me know if you see anything wrong there. My IE favorites list is back, and seems complete. So, I think unhide worked for the most part.

I forgot to mention earlier, but I was able to change my desktop back to my custom one. No problems there.

So, am I still infected with stuff? What do we need to do next?

Thanks so much for your time so far.

Lisa

Thanks for the info on fixing the notepad shortcut. I did that and it works fine now!

Lisa

Attached Files

  • Attached File  ss1.jpg   82.93KB   2 downloads


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 05 January 2012 - 06:30 AM

Hello, ajsmom.

No worries...hope your power stays on!

OK, that's good news in regards to the icons. We still have some more work to do.



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

RegNull::
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*¿*Z%\OpenWithList]
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*]
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*\OpenWithList]
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%]
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%\OpenWithList]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

We need to create an OTL report,
  • Please download OTL from this link.
  • (If that link doesn't work, try this alternate link
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 05 January 2012 - 10:27 PM

Ran combofix, and here is the report:

ComboFix 12-01-03.07 - Owner 01/05/2012 20:19:41.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.346 [GMT -5:00]
Running from: c:\users\Owner\Desktop\etavaresCF.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
J:\autorun.inf . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-06 01:49 . 2012-01-06 01:49 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2EA97FEB-5B88-4021-8ACB-ED10DE7F7376}\offreg.dll
2012-01-06 01:42 . 2012-01-06 01:55 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-01-06 01:42 . 2012-01-06 01:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-06 00:52 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2EA97FEB-5B88-4021-8ACB-ED10DE7F7376}\mpengine.dll
2012-01-04 04:42 . 2012-01-04 04:42 -------- d-----w- c:\users\Owner\AppData\Roaming\HPAppData
2012-01-02 21:23 . 2012-01-02 22:27 -------- d-----w- C:\etavaresCF
2012-01-02 06:12 . 2012-01-02 06:12 -------- d-----w- C:\gmer
2011-12-28 00:35 . 2011-12-28 00:38 -------- d-----w- C:\emb files from thumb
2011-12-20 03:07 . 2011-12-20 03:07 -------- d-----w- c:\users\Owner\AppData\Local\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d-----w- c:\programdata\Tipard Studio
2011-12-20 03:06 . 2011-12-20 03:06 -------- d-----w- c:\program files\Tipard Studio
2011-12-11 07:16 . 2011-12-11 07:16 -------- d-----w- c:\users\Owner\AppData\Roaming\ElementalsTheMagicKey
2011-12-11 07:15 . 2011-12-11 07:15 -------- d-----w- c:\program files\Playrix Entertainment
2011-12-10 05:44 . 2011-12-23 16:29 -------- d-----w- c:\users\Owner\AppData\Roaming\FaceOffMax
2011-12-10 05:44 . 2011-12-10 05:57 -------- d-----w- c:\programdata\FaceOffMax
2011-12-10 05:43 . 2011-12-11 14:31 -------- d-----w- c:\program files\FaceOffMax
2011-12-09 05:34 . 2011-12-09 05:34 -------- d-----w- c:\program files\iPod
2011-12-09 05:34 . 2011-12-09 05:35 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 06:10 . 2012-01-02 06:10 294216 ----a-w- C:\gmer.zip
2011-12-16 21:18 . 2011-11-16 05:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2009-08-31 01:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 02:33 . 2011-10-29 02:33 163616 ----a-w- c:\windows\system32\drivers\DigiartyVirtualCDBus.sys
2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-11-21 04:04 . 2011-11-28 12:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PerfectClock2007"="c:\program files\PerfectClock\perfectClock2007.exe" [2010-08-10 905728]
"StickyPassword"="c:\program files\Sticky Password\stpass.exe" [2010-08-25 3052376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-18 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Mamutu Guard"="c:\program files\MAMUTU\mamutu.exe" [2011-11-04 4307320]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 17:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
S1 a2injectiondriver;a2injectiondriver;c:\program files\Mamutu\a2dix86.sys [2011-11-03 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Mamutu\a2util32.sys [2010-05-05 11776]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
S3 a2acc;a2acc;c:\program files\MAMUTU\a2accx86.sys [2011-11-03 51632]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\v9woie38.default\
FF - prefs.js: browser.startup.homepage - hxxp://xfinity.comcast.net/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-05 20:52
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*j*¿*Z%\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #*N*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-3561088641-4168424388-257895695-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*d%““%\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4768)
c:\program files\Sticky Password\spCapBtn.dll
c:\windows\system32\QUtil.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Mamutu\a2service.exe
c:\program files\WTouch\WTouchService.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Process Lasso\processgovernor.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\system32\lxbacoms.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\system32\RioMSC.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\Pen_Tablet.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\Pen_Tablet.exe
c:\windows\RtHDVCpl.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-01-05 21:16:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 02:15
ComboFix2.txt 2012-01-04 02:15
ComboFix3.txt 2012-01-02 22:26
.
Pre-Run: 10,399,797,248 bytes free
Post-Run: 11,326,423,040 bytes free
.
- - End Of File - - EC0ED4A8ACFF0373D31E100B61298A0F

#13 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 05 January 2012 - 10:38 PM

I have tried to run the OTL scan 4 times. It downloads fine, and scans for a few moments, then when 'scanning modules' shows at the bottom, it stops responding. I'm not sure what to do next.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 06 January 2012 - 06:30 AM

Do you get the popup telling you it stopped responding? If so, just choose the option to let it keep going and to do nothing (I can't remember the exact wording). Let it run for 5-10 minutes after that and it should finish. If not, let me know. Some programs keep working, but forget to tell Windows they are, so Windows assumes they're stuck when they're not.

If that doesn't work, let me know.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 ajsmom

ajsmom
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 06 January 2012 - 10:57 AM

It shows what it is doing down on the bottom corner. It runs through a bunch of files, then that area shows that it is scanning modules. I let it sit and do that for several minutes, then on the 'title bar' (I am sorry, but I don't know what that line is called) it's the one that says the name of the program that is running, it pops up beside the name 'not responding'. It does not pop up in a new box, or on an error message, just beside the program name. I will start it again and let it sit there for a while, just to see what happens. I will let you know.

Lisa

Edited by ajsmom, 06 January 2012 - 10:59 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users