Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tenacious trojan; can't delete without causing boot error


  • This topic is locked This topic is locked
18 replies to this topic

#1 Solan

Solan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 03 February 2012 - 03:50 PM

Apologies for posting this in the wrong section before.
I have an infection on my computer, identified by MSE as "Sirefef.B". There haven't been many visible effects to this malware, besides an occasional extra tab being opened in my browser and redirected to a page full of ads, but it's starting to bother me, and I believe its presence may also be why my Mabinogi client is malfunctioning (it claims that it detects a hacking tool, which I do not use), so I want to try and remove it.
However, my attempts to get rid of it so far have come up short. I've downloaded and used TDSSKiller, RKill, and MalwareBytes, none of which are able to detect the file. In addition, when MSE and Avast detected the supposed core file (C:/Windows/System32/consrv.dll), after I rebooted my computer became unable to boot. I suspect registry corruption, though I don't have the expertise to say something like that for certain.
As per the guide instruction, I've run DDS on my computer and pasted the log below. Unfortunately, I am unable to attach files at this time for reasons unknown. My computer runs on Windows 7 64-bit, so I'm unable to use GMER and cannot post any logs of such; if there's an analog for 64-bit systems, I'll gladly run that one. Despite running through some guides for removal of this bug (most of them refer to it as the ZeroAccess rootkit), I've been unable to clear this from my system; any help you guys can offer to point me in the right direction would be absolutely wonderful.


(DDS log below.)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Nick at 13:34:10 on 2012-02-03
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.4044.1864 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\SysWOW64\ping.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y
uDefault_Page_URL = hxxp://start.toshiba.com/?cid=C001B2Y
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Nick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: DhcpNameServer = 155.101.201.10 155.101.115.10
TCP: Interfaces\{9BC53E3B-1C77-42AC-BF84-83FC68EE8626} : DhcpNameServer = 155.101.201.10 155.101.115.10
TCP: Interfaces\{9BC53E3B-1C77-42AC-BF84-83FC68EE8626}\D616E6167756C6C6 : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun-x64: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\evo5924n.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-10-10 123320]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-10-10 126392]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-10-10 2656280]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\system32\DRIVERS\rtl8192Ce.sys --> C:\windows\system32\DRIVERS\rtl8192Ce.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-10-10 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-9 138152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 136176]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-10 136176]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-02-03 19:22:31 -------- d-----w- C:\Users\Nick\AppData\Local\{AE8B5CBF-D070-47D1-9571-83B5495559A6}
2012-02-03 19:22:12 -------- d-----w- C:\Users\Nick\AppData\Local\{61A93616-172F-41AF-B19A-E2B8C9E69D78}
2012-02-03 18:40:29 -------- d-----w- C:\Program Files\HitmanPro
2012-02-03 18:40:27 -------- d-----w- C:\ProgramData\HitmanPro
2012-02-03 17:38:13 -------- d-----w- C:\Users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 17:37:47 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-02-03 17:37:47 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-02-03 15:50:28 -------- d-----w- C:\Users\Nick\AppData\Local\{7F6C2021-B947-460E-94DF-C934D7082AC3}
2012-02-03 15:49:23 -------- d-----w- C:\Users\Nick\AppData\Local\{2C1499E5-AFE3-4869-853F-04F43633AEB7}
2012-02-02 18:52:32 -------- d-----w- C:\Users\Nick\AppData\Local\{D9E21294-11C5-4DE3-9797-5DB1F68A09D2}
2012-02-02 18:52:12 -------- d-----w- C:\Users\Nick\AppData\Local\{65ACD171-110D-4ECF-B0D6-78378854766A}
2012-02-02 06:51:59 -------- d-----w- C:\Users\Nick\AppData\Local\{5926D02F-9829-48D8-BA60-D6485C2B40B8}
2012-02-02 06:51:47 -------- d-----w- C:\Users\Nick\AppData\Local\{2CFAE1DF-97B7-42A3-9E9C-1019C6475F6C}
2012-02-01 22:15:59 -------- d-----w- C:\Users\Nick\AppData\Local\{A44C9987-1C49-4409-8ADD-95D5C16D887E}
2012-02-01 17:54:29 -------- d-----w- C:\Users\Nick\AppData\Local\{9943F04C-5AF6-4060-8794-594027519B75}
2012-02-01 17:54:19 -------- d-----w- C:\Users\Nick\AppData\Local\{D3B06CB9-875E-4961-80E8-64713F11C9F9}
2012-02-01 05:53:53 -------- d-----w- C:\Users\Nick\AppData\Local\{44FDCC52-A07E-4D7F-B39E-E9B6C017925E}
2012-02-01 05:53:43 -------- d-----w- C:\Users\Nick\AppData\Local\{82173FAD-EF9D-4451-8502-85DE5FA1376D}
2012-01-31 17:32:28 -------- d-----w- C:\Users\Nick\AppData\Local\{DF38EABE-0571-433D-BCC0-E8FCAB034D3F}
2012-01-31 17:32:19 -------- d-----w- C:\Users\Nick\AppData\Local\{4F581C34-E38C-47F7-B905-EFE2D617168C}
2012-01-31 05:31:52 -------- d-----w- C:\Users\Nick\AppData\Local\{2627FE40-CA09-4C89-AA30-D835A832F9B4}
2012-01-31 05:31:42 -------- d-----w- C:\Users\Nick\AppData\Local\{EB9191B5-F417-4448-AD07-B9FDC9A07B51}
2012-01-30 18:02:08 -------- d-----w- C:\Program Files (x86)\WinSCP
2012-01-30 17:31:17 -------- d-----w- C:\Users\Nick\AppData\Local\{43B0C3F3-C7CC-4054-B417-16937A2C0DDB}
2012-01-30 17:31:06 -------- d-----w- C:\Users\Nick\AppData\Local\{AC3BE364-25DE-44CC-BDA4-91D6137C6937}
2012-01-30 06:52:22 -------- d-----w- C:\Users\Nick\AppData\Local\{0CFFA939-305C-4D24-AD0F-A1DCFACCADB2}
2012-01-30 06:52:12 -------- d-----w- C:\Users\Nick\AppData\Local\{EAF2A46C-7B84-480D-8037-DC807288094B}
2012-01-29 18:52:00 -------- d-----w- C:\Users\Nick\AppData\Local\{DA57BC8B-02F3-409E-9679-5746F77E8542}
2012-01-29 18:51:51 -------- d-----w- C:\Users\Nick\AppData\Local\{88B5F563-540E-4E0B-969E-57AB61AEFDD0}
2012-01-29 04:35:18 -------- d-----w- C:\Users\Nick\AppData\Local\{CFC151B3-CEF8-4B8D-9DD0-40116A6279F3}
2012-01-29 04:35:08 -------- d-----w- C:\Users\Nick\AppData\Local\{B04CA8C4-5027-43F0-B50F-A8C4399C4635}
2012-01-28 16:34:44 -------- d-----w- C:\Users\Nick\AppData\Local\{5F0C8AFE-0FC2-4499-B5A1-7B3DAAD5A7F7}
2012-01-28 16:34:33 -------- d-----w- C:\Users\Nick\AppData\Local\{BEDF4783-15E3-4D68-AD91-E234B2AEAE85}
2012-01-28 04:34:08 -------- d-----w- C:\Users\Nick\AppData\Local\{6B957635-5A7F-43E6-BC9C-45CF3D14118E}
2012-01-28 04:33:58 -------- d-----w- C:\Users\Nick\AppData\Local\{FDD6CD76-8332-42E9-96C8-ECD7E12A2A9C}
2012-01-27 16:33:30 -------- d-----w- C:\Users\Nick\AppData\Local\{B312E6A0-8EBC-4BBB-B384-1C90DBE3A13A}
2012-01-27 16:32:24 -------- d-----w- C:\Users\Nick\AppData\Local\{86A9A91D-68DE-4DCC-A365-DB747AC3D0BF}
2012-01-26 16:11:15 -------- d-----w- C:\Users\Nick\AppData\Local\{6CA7503D-AA56-45ED-A460-FCC68A7041A9}
2012-01-26 16:11:05 -------- d-----w- C:\Users\Nick\AppData\Local\{9EA3BB4B-A23E-42A1-8AC2-7B9B73D6CCBE}
2012-01-26 04:10:01 -------- d-----w- C:\Users\Nick\AppData\Local\{217479CB-FDCF-47DE-AC8E-E19830032273}
2012-01-26 04:09:51 -------- d-----w- C:\Users\Nick\AppData\Local\{1585111D-557E-4614-9820-A7A307588C4F}
2012-01-25 16:09:22 -------- d-----w- C:\Users\Nick\AppData\Local\{290712F4-126D-41AE-847D-F68D7EABE98F}
2012-01-25 16:09:12 -------- d-----w- C:\Users\Nick\AppData\Local\{22F3FD41-7360-42F2-97C8-66EB834BE201}
2012-01-24 00:42:19 -------- d-----w- C:\Users\Nick\AppData\Local\{9BC25408-CA5F-48C0-9C75-ED7C546B3D04}
2012-01-24 00:42:09 -------- d-----w- C:\Users\Nick\AppData\Local\{F7FE4D92-B476-4CAA-9FE0-A200032F4200}
2012-01-23 05:10:46 -------- d-----w- C:\Users\Nick\AppData\Local\{F60CC7BA-F463-493E-A498-8D0D8FDBA891}
2012-01-23 05:10:36 -------- d-----w- C:\Users\Nick\AppData\Local\{9AFB0867-B0E4-4AEF-BDCB-80F2F46425DF}
2012-01-22 17:10:23 -------- d-----w- C:\Users\Nick\AppData\Local\{4FB8B753-F832-4AE1-9D0A-7FB209EC3F8F}
2012-01-22 17:10:13 -------- d-----w- C:\Users\Nick\AppData\Local\{10769849-5419-4A1A-B396-4219C50A3474}
2012-01-22 05:09:53 -------- d-----w- C:\Users\Nick\AppData\Local\{39405BD1-7279-4128-97F9-E3897C346647}
2012-01-22 05:09:42 -------- d-----w- C:\Users\Nick\AppData\Local\{6AD12C57-91EE-4F53-8047-5D3A06320EC2}
2012-01-21 17:09:29 -------- d-----w- C:\Users\Nick\AppData\Local\{2E14DBD7-6A72-4175-A462-4EFAB6E582D4}
2012-01-21 17:09:19 -------- d-----w- C:\Users\Nick\AppData\Local\{CEA84674-7600-4B63-A5E7-070AAC1785D1}
2012-01-21 05:09:06 -------- d-----w- C:\Users\Nick\AppData\Local\{EC73E9AF-F56A-4387-A24D-C9405B4863A6}
2012-01-21 05:08:55 -------- d-----w- C:\Users\Nick\AppData\Local\{467EFAE9-FD5D-4F18-B9F3-680AF0049E2F}
2012-01-20 17:08:27 -------- d-----w- C:\Users\Nick\AppData\Local\{BA3BD5BC-8094-4955-8C5F-05EC6DE9E334}
2012-01-20 17:08:17 -------- d-----w- C:\Users\Nick\AppData\Local\{4BF33796-A267-49AC-9932-EEB27B2ECD32}
2012-01-19 11:12:59 -------- d-----w- C:\Users\Nick\AppData\Local\{1084D196-E0F0-4315-A0FC-D1D6B935B1F4}
2012-01-19 11:12:49 -------- d-----w- C:\Users\Nick\AppData\Local\{EC71001C-8C6E-4F83-AE74-474E4D9F1A77}
2012-01-18 23:12:36 -------- d-----w- C:\Users\Nick\AppData\Local\{449A19B8-C387-4F4A-AB37-604AE1BE3313}
2012-01-18 23:12:27 -------- d-----w- C:\Users\Nick\AppData\Local\{B8D344A6-9B79-4B7C-BE08-049E77C15F0B}
2012-01-18 07:35:54 -------- d-----w- C:\Users\Nick\AppData\Local\{39FD420C-FCDC-4B19-8075-2EEC072CB667}
2012-01-18 07:35:43 -------- d-----w- C:\Users\Nick\AppData\Local\{FDD6A8F6-8303-4359-A1AB-C7E038AC1E2D}
2012-01-17 19:35:19 -------- d-----w- C:\Users\Nick\AppData\Local\{06B017B7-8F0F-4EB7-90A0-07A21EB6843D}
2012-01-17 19:35:09 -------- d-----w- C:\Users\Nick\AppData\Local\{B56429A7-1D64-4C44-8FF0-E5A7184AE693}
2012-01-17 07:34:44 -------- d-----w- C:\Users\Nick\AppData\Local\{F0FF212A-D8DE-4672-A862-739C1718D3C8}
2012-01-17 07:34:34 -------- d-----w- C:\Users\Nick\AppData\Local\{B6C15034-746F-4C95-9772-4453345BC2C3}
2012-01-16 19:34:17 -------- d-----w- C:\Users\Nick\AppData\Local\{01E8B33C-5EDF-4FE3-A309-F3BA8A60C122}
2012-01-16 19:34:07 -------- d-----w- C:\Users\Nick\AppData\Local\{74790D6F-4B16-46C1-A8DA-F2E592B08DF4}
2012-01-16 15:58:57 -------- d-----w- C:\Users\Nick\AppData\Local\{A8038251-49E4-41AE-9F0C-5FB3C9D24B99}
2012-01-16 15:58:46 -------- d-----w- C:\Users\Nick\AppData\Local\{A5144F35-A190-485D-A880-65FFCD97089E}
2012-01-16 06:44:37 -------- d-----w- C:\ProgramData\AVAST Software
2012-01-16 06:44:37 -------- d-----w- C:\Program Files\AVAST Software
2012-01-16 04:27:25 709968 ----a-w- C:\windows\isRS-000.tmp
2012-01-16 04:26:15 -------- d-----w- C:\Users\Nick\AppData\Roaming\Malwarebytes
2012-01-16 04:26:11 -------- d-----w- C:\ProgramData\Malwarebytes
2012-01-16 04:26:08 23152 ----a-w- C:\windows\System32\drivers\mbam.sys
2012-01-16 04:26:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-16 04:22:14 -------- d-----w- C:\Users\Nick\AppData\Local\CrashDumps
2012-01-16 03:58:17 -------- d-----w- C:\Users\Nick\AppData\Local\{529E7EFF-D512-40EA-909D-8F90C6E769FE}
2012-01-16 03:58:07 -------- d-----w- C:\Users\Nick\AppData\Local\{148B864B-FA65-4464-9013-46108C8A48D1}
2012-01-16 03:07:40 -------- d-----we C:\windows\system64
2012-01-15 15:57:52 -------- d-----w- C:\Users\Nick\AppData\Local\{D7F6B998-C0F5-43F5-BDCF-AC4CA132F8F0}
2012-01-15 15:57:41 -------- d-----w- C:\Users\Nick\AppData\Local\{EEE3D432-B980-4B9C-A4A6-D6E33B7C3C77}
2012-01-15 09:07:59 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4E84B030-AA09-4619-9E92-DA8F1452B1F9}\mpengine.dll
2012-01-14 23:25:50 -------- d-----w- C:\Users\Nick\AppData\Local\{8FF9BCAE-A002-45B0-8364-3B4861346CCF}
2012-01-14 23:25:40 -------- d-----w- C:\Users\Nick\AppData\Local\{6B30D7D8-EB9F-4ECB-8CCF-2F5F9B26CDC0}
2012-01-14 11:25:28 -------- d-----w- C:\Users\Nick\AppData\Local\{A134B762-6A84-4045-8588-0895A55BC930}
2012-01-14 11:25:18 -------- d-----w- C:\Users\Nick\AppData\Local\{BC691EA0-2973-4693-B3EB-6EA285C6D4EC}
2012-01-13 23:25:06 -------- d-----w- C:\Users\Nick\AppData\Local\{1415F6B5-64A5-4FC1-9B46-FCE942B00333}
2012-01-13 23:24:56 -------- d-----w- C:\Users\Nick\AppData\Local\{77459942-5F96-428E-AE69-A5B53258306D}
2012-01-13 05:59:52 -------- d-----w- C:\Users\Nick\AppData\Local\{3CA386C9-D644-46BC-94AA-DAFB6DACA3FC}
2012-01-13 05:59:41 -------- d-----w- C:\Users\Nick\AppData\Local\{73E6BDC5-B143-4E18-B50B-530CE0ED031D}
2012-01-12 17:59:26 -------- d-----w- C:\Users\Nick\AppData\Local\{0236A967-31D5-40CF-B14D-F31C4097F979}
2012-01-12 17:59:25 -------- d-----w- C:\Users\Nick\AppData\Local\{FB92CE3E-A059-4B6C-9FB5-004727E1FA83}
2012-01-11 23:10:41 78680 ----a-w- C:\windows\System32\XAPOFX1_4.dll
2012-01-11 22:59:27 -------- d-----w- C:\Program Files (x86)\Bethesda Softworks
2012-01-11 22:58:46 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2012-01-11 22:58:46 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2012-01-11 22:58:46 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2012-01-11 22:58:46 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2012-01-11 22:58:46 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2012-01-11 22:58:46 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2012-01-11 22:58:40 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2012-01-11 22:58:39 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2012-01-11 22:58:35 -------- d-----w- C:\Users\Nick\AppData\Local\Oblivion
2012-01-11 07:39:27 -------- d-----w- C:\Users\Nick\AppData\Local\{A1204B28-0CDE-4428-8EF1-723AF8D9A6CB}
2012-01-11 07:39:17 -------- d-----w- C:\Users\Nick\AppData\Local\{AD1B9B90-0012-4481-B403-B9A65ADE8913}
2012-01-10 22:44:12 514560 ----a-w- C:\windows\SysWow64\qdvd.dll
2012-01-10 22:44:12 366592 ----a-w- C:\windows\System32\qdvd.dll
2012-01-10 22:44:12 1572864 ----a-w- C:\windows\System32\quartz.dll
2012-01-10 22:44:12 1328128 ----a-w- C:\windows\SysWow64\quartz.dll
2012-01-10 22:44:10 77312 ----a-w- C:\windows\System32\packager.dll
2012-01-10 22:44:10 67072 ----a-w- C:\windows\SysWow64\packager.dll
2012-01-10 22:44:10 1731920 ----a-w- C:\windows\System32\ntdll.dll
2012-01-10 22:44:10 1292080 ----a-w- C:\windows\SysWow64\ntdll.dll
2012-01-10 19:38:51 -------- d-----w- C:\Users\Nick\AppData\Local\{AC3103AA-DFDC-461D-9ED9-E7FAEB83E434}
2012-01-10 19:38:40 -------- d-----w- C:\Users\Nick\AppData\Local\{6DAE42EA-3F7E-4E0C-B70F-48D1617DBC50}
2012-01-10 07:43:28 -------- d-----w- C:\Users\Nick\AppData\Roaming\FlixsterCollections
2012-01-10 07:43:25 -------- d-----w- C:\Program Files (x86)\Flixster Collections
2012-01-10 07:38:15 -------- d-----w- C:\Users\Nick\AppData\Local\{33DEC0C8-FE3F-4F00-9551-11F3AE0575DB}
2012-01-10 07:38:05 -------- d-----w- C:\Users\Nick\AppData\Local\{248D4B26-3EF2-4DEA-BF65-A73918927CE9}
2012-01-09 19:37:39 -------- d-----w- C:\Users\Nick\AppData\Local\{2BDC18B8-9F2A-4B98-ABA6-A5EBF95D588C}
2012-01-09 19:37:28 -------- d-----w- C:\Users\Nick\AppData\Local\{3A1A218C-FBDC-43AF-BBD8-26749E61A8E8}
2012-01-09 07:09:07 -------- d-----w- C:\Users\Nick\AppData\Local\{62683F36-44FB-4F23-BB59-069EFFCB2A6F}
2012-01-09 07:08:57 -------- d-----w- C:\Users\Nick\AppData\Local\{A574AD48-7AB3-4272-B045-048C96AEC01C}
2012-01-09 04:14:30 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-01-08 19:08:45 -------- d-----w- C:\Users\Nick\AppData\Local\{B04C4092-0A4D-4A27-8C0E-A1233A38D7D9}
2012-01-08 19:08:35 -------- d-----w- C:\Users\Nick\AppData\Local\{F524FFD6-69EA-4570-9457-BF3C7B3340B3}
2012-01-08 07:59:09 -------- d-----w- C:\Program Files\Gravity
2012-01-08 07:08:21 -------- d-----w- C:\Users\Nick\AppData\Local\{0CBB74D1-DDC3-408E-A41C-54F130C04520}
2012-01-08 07:08:10 -------- d-----w- C:\Users\Nick\AppData\Local\{4D2B0DFD-BDEF-43F4-936F-EE0334F89608}
2012-01-07 19:07:51 -------- d-----w- C:\Users\Nick\AppData\Local\{E2344411-0D3A-48C3-B235-D9BDE04B9E5B}
2012-01-07 19:07:41 -------- d-----w- C:\Users\Nick\AppData\Local\{4DBDE8CD-11D9-4CD3-AB78-93D4A77780F2}
2012-01-07 07:07:28 -------- d-----w- C:\Users\Nick\AppData\Local\{9B90EC04-8485-4DEA-B407-EA3577282216}
2012-01-07 07:07:18 -------- d-----w- C:\Users\Nick\AppData\Local\{AF460EED-C231-4A37-9DCA-AC3490BD6071}
2012-01-07 06:09:39 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2012-01-07 05:58:21 -------- d-----w- C:\ProgramData\Cisco Systems
2012-01-07 01:06:37 -------- d-----w- C:\Users\Nick\AppData\Local\{455533D1-1DEF-4B29-88CA-9011FECC9549}
2012-01-06 09:12:08 -------- d-----w- C:\Users\Nick\AppData\Local\{AFD074D4-090A-4B73-8243-D406E050FB0E}
2012-01-06 09:11:57 -------- d-----w- C:\Users\Nick\AppData\Local\{828E1BAA-99AC-4E07-AECB-9B898FB65732}
2012-01-05 21:11:39 -------- d-----w- C:\Users\Nick\AppData\Local\{E6FE3154-85D2-4736-AF29-9B3444EB1761}
2012-01-05 21:11:29 -------- d-----w- C:\Users\Nick\AppData\Local\{2021CFE6-EAEE-4ED0-AE75-46EF512E98CE}
2012-01-05 02:44:04 -------- d-----w- C:\Users\Nick\AppData\Local\{702995CB-3814-4438-8274-D5931596EB08}
2012-01-05 02:43:53 -------- d-----w- C:\Users\Nick\AppData\Local\{AE93CCB7-0AC5-4A81-B11F-3BB5317C7D20}
.
==================== Find3M ====================
.
2012-01-31 12:44:20 279656 ------w- C:\windows\System32\MpSigStub.exe
2012-01-09 14:35:40 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-24 04:52:09 3145216 ----a-w- C:\windows\System32\win32k.sys
2011-11-17 06:49:14 95600 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\windows\System32\drivers\cng.sys
2011-11-17 06:35:28 395776 ----a-w- C:\windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\windows\System32\lsass.exe
2011-11-17 05:35:02 314880 ----a-w- C:\windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
.
============= FINISH: 13:34:52.22 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 04 February 2012 - 01:39 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 05 February 2012 - 03:12 PM

Sorry for the delay in responding, I had to do a lot of stuff yesterday that required my computer.

I've run ComboFix now, and it seems to have been able to remove or at least clean whatever registry mojo the trojan was doing to my system. The consrv.dll file no longer exists on my system, but it still boots normally. However, Avast is still picking up a few threats that I'm nervous about trying to blindly remove (one called consrv.dll.vir in particular). The visible symptoms appear to have vanished completely, but these few lingering files still worry me... any suggestions?

ComboFix log below:


ComboFix 12-02-05.01 - Nick 5/2012 Sun 6:10.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.4044.2170 [GMT -7:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\isRS-000.tmp
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-05 to 2012-02-05 )))))))))))))))))))))))))))))))
.
.
2012-02-05 13:16 . 2012-02-05 13:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-04 19:27 . 2012-02-04 19:27 -------- d-----w- C:\Nexon
2012-02-04 19:13 . 2012-02-04 19:13 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-02-04 19:04 . 2012-02-04 19:04 -------- d-----w- c:\program files\CCleaner
2012-02-04 15:41 . 2012-02-04 15:41 29696 ----a-w- c:\windows\SysWow64\0KhFaTuIB.com
2012-02-03 18:40 . 2012-02-03 18:40 -------- d-----w- c:\program files\HitmanPro
2012-02-03 18:40 . 2012-02-03 19:53 -------- d-----w- c:\programdata\HitmanPro
2012-02-03 17:38 . 2012-02-03 17:38 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 17:37 . 2012-02-03 19:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-03 17:37 . 2012-02-03 17:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-30 18:02 . 2012-02-01 22:01 -------- d-----w- c:\program files (x86)\WinSCP
2012-01-16 06:44 . 2012-01-16 06:44 -------- d-----w- c:\programdata\AVAST Software
2012-01-16 06:44 . 2012-01-16 06:44 -------- d-----w- c:\program files\AVAST Software
2012-01-16 04:26 . 2012-01-16 04:26 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2012-01-16 04:26 . 2012-01-16 04:26 -------- d-----w- c:\programdata\Malwarebytes
2012-01-16 04:26 . 2012-01-16 04:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-16 04:26 . 2011-12-10 22:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-16 04:22 . 2012-02-04 19:11 -------- d-----w- c:\users\Nick\AppData\Local\CrashDumps
2012-01-15 09:07 . 2011-11-30 09:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4E84B030-AA09-4619-9E92-DA8F1452B1F9}\mpengine.dll
2012-01-11 23:10 . 2010-02-04 17:01 78680 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2012-01-11 22:59 . 2012-01-11 22:59 -------- d-----w- c:\program files (x86)\Bethesda Softworks
2012-01-11 22:58 . 2005-04-04 06:02 753664 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2012-01-11 22:58 . 2005-04-04 06:02 69714 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2012-01-11 22:58 . 2005-04-04 06:01 274432 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2012-01-11 22:58 . 2005-04-04 06:00 184320 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2012-01-11 22:58 . 2005-04-04 06:00 63488 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2012-01-11 22:58 . 2005-04-04 05:59 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2012-01-11 22:58 . 2012-01-11 22:58 200836 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2012-01-11 22:58 . 2012-01-11 22:58 331908 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2012-01-11 22:58 . 2012-01-11 22:58 -------- d-----w- c:\users\Nick\AppData\Local\Oblivion
2012-01-10 22:44 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-10 22:44 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-10 22:44 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-10 22:44 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-10 22:44 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-10 22:44 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-10 22:44 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-10 22:44 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-10 07:43 . 2012-01-10 07:43 -------- d-----w- c:\users\Nick\AppData\Roaming\FlixsterCollections
2012-01-10 07:43 . 2012-01-10 07:43 -------- d-----w- c:\program files (x86)\Flixster Collections
2012-01-08 07:59 . 2012-01-08 08:07 -------- d-----w- c:\program files\Gravity
2012-01-07 06:09 . 2012-01-07 06:53 -------- d-----w- c:\program files (x86)\Cisco Systems
2012-01-07 05:58 . 2012-01-07 05:58 -------- d-----w- c:\programdata\Cisco Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-09 14:35 . 2011-08-08 02:07 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-25 16:29 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-24 04:52 . 2011-12-26 18:26 3145216 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-12-25 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Aim"="c:\program files (x86)\AIM\aim.exe" [2011-05-03 4321112]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 136176]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-07-19 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\At1.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At11.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At13.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At15.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At17.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At19.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At21.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At23.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At25.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At27.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At29.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At3.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At31.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-04 c:\windows\Tasks\At33.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At35.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At37.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At39.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At41.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At43.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At45.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At47.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At5.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At7.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\At9.job
- c:\windows\system32\0KhFaTuIB.com [2012-02-04 15:41]
.
2012-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 05:34]
.
2012-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 05:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"combofix"="c:\combofix\CF27293.3XE" [2010-11-21 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\evo5924n.default\
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-(Default) - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-02-05 06:23:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-05 13:23
.
Pre-Run: 210,299,904,000 bytes free
Post-Run: 210,022,793,216 bytes free
.
- - End Of File - - 06B5AB38C92820F831A7EC4A287CC1B7

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 05 February 2012 - 03:35 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

AtJob::

File::
c:\windows\SysWow64\0KhFaTuIB.com
c:\windows\system32\0KhFaTuIB.com_

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 09 February 2012 - 12:08 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 09 February 2012 - 01:17 PM

Sorry, I didn't get an email notification of your last post. I'll try the suggested fix in a few minutes.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 09 February 2012 - 11:43 PM

No problem I will be around


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 13 February 2012 - 12:13 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 February 2012 - 05:11 AM

Sorry about the further delay. I've run the custom script as requested with no apparent errors. The computer seems to be running fine, though I've yet to run a scan for any remaining malware. I'll run MalwareBytes and Avast after this post as a final check; in the meantime, here's the log.


ComboFix log below.


ComboFix 12-02-13.01 - Nick 4/2012 Tue 2:50.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.4044.2588 [GMT -7:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\0KhFaTuIB.com_"
"c:\windows\SysWow64\0KhFaTuIB.com"
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( Files Created from 2012-01-14 to 2012-02-14 )))))))))))))))))))))))))))))))
.
.
2012-02-14 09:58 . 2012-02-14 09:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-07 23:26 . 2012-02-07 23:26 483328 ----a-w- c:\program files\putty.exe
2012-02-05 18:21 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-05 18:21 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-05 18:21 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-05 18:21 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-05 18:21 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-05 18:21 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-05 18:21 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-02-05 18:20 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-05 18:20 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-02-04 19:27 . 2012-02-04 19:27 -------- d-----w- C:\Nexon
2012-02-04 19:13 . 2012-02-04 19:13 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-02-04 19:04 . 2012-02-04 19:04 -------- d-----w- c:\program files\CCleaner
2012-02-03 18:40 . 2012-02-03 18:40 -------- d-----w- c:\program files\HitmanPro
2012-02-03 18:40 . 2012-02-03 19:53 -------- d-----w- c:\programdata\HitmanPro
2012-02-03 17:38 . 2012-02-03 17:38 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 17:37 . 2012-02-03 19:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-03 17:37 . 2012-02-03 17:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-30 18:02 . 2012-02-01 22:01 -------- d-----w- c:\program files (x86)\WinSCP
2012-01-16 06:44 . 2012-01-16 06:44 -------- d-----w- c:\programdata\AVAST Software
2012-01-16 06:44 . 2012-01-16 06:44 -------- d-----w- c:\program files\AVAST Software
2012-01-16 04:26 . 2012-01-16 04:26 -------- d-----w- c:\users\Nick\AppData\Roaming\Malwarebytes
2012-01-16 04:26 . 2012-01-16 04:26 -------- d-----w- c:\programdata\Malwarebytes
2012-01-16 04:26 . 2012-01-16 04:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-16 04:26 . 2011-12-10 22:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-16 04:22 . 2012-02-04 19:11 -------- d-----w- c:\users\Nick\AppData\Local\CrashDumps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-09 14:35 . 2011-08-08 02:07 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-25 16:29 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-30 09:21 . 2012-01-15 09:07 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4E84B030-AA09-4619-9E92-DA8F1452B1F9}\mpengine.dll
2011-11-24 04:52 . 2011-12-26 18:26 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 14:58 . 2012-01-10 22:44 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-10 22:44 67072 ----a-w- c:\windows\SysWow64\packager.dll
2011-11-17 06:49 . 2012-01-12 16:23 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2011-11-17 06:49 . 2012-01-12 16:23 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-11-17 06:44 . 2012-01-12 16:23 459232 ----a-w- c:\windows\system32\drivers\cng.sys
2011-11-17 06:41 . 2012-01-10 22:44 1731920 ----a-w- c:\windows\system32\ntdll.dll
2011-11-17 06:35 . 2012-01-12 16:23 395776 ----a-w- c:\windows\system32\webio.dll
2011-11-17 06:35 . 2012-01-12 16:23 29184 ----a-w- c:\windows\system32\sspisrv.dll
2011-11-17 06:35 . 2012-01-12 16:23 136192 ----a-w- c:\windows\system32\sspicli.dll
2011-11-17 06:35 . 2012-01-12 16:23 340992 ----a-w- c:\windows\system32\schannel.dll
2011-11-17 06:35 . 2012-01-12 16:23 28160 ----a-w- c:\windows\system32\secur32.dll
2011-11-17 06:35 . 2012-01-12 16:23 1447936 ----a-w- c:\windows\system32\lsasrv.dll
2011-11-17 06:33 . 2012-01-12 16:23 31232 ----a-w- c:\windows\system32\lsass.exe
2011-11-17 05:38 . 2012-01-10 22:44 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-11-17 05:35 . 2012-01-12 16:23 314880 ----a-w- c:\windows\SysWow64\webio.dll
2011-11-17 05:34 . 2012-01-12 16:23 224768 ----a-w- c:\windows\SysWow64\schannel.dll
2011-11-17 05:34 . 2012-01-12 16:23 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2011-11-17 05:28 . 2012-01-12 16:23 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-05_13.17.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-02-05 18:10 37180 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-07 09:13 36356 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-12-25 15:05 . 2012-02-07 13:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-12-25 15:05 . 2012-02-04 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-12-25 15:05 . 2012-02-07 13:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-12-25 15:05 . 2012-02-04 21:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-07 13:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-04 21:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-25 15:05 . 2012-02-07 09:13 7910 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2206718413-4200557095-4090096804-1000_UserData.bin
- 2012-02-05 13:17 . 2012-02-05 13:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-14 10:00 . 2012-02-14 10:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-14 10:00 . 2012-02-14 10:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-05 13:17 . 2012-02-05 13:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-07 14:11 . 2012-02-11 17:42 161560 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2011-12-25 15:25 . 2012-02-13 19:40 212112 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-02-05 07:19 616008 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-14 09:46 616008 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-05 07:19 106388 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-14 09:46 106388 c:\windows\system32\perfc009.dat
+ 2011-12-27 08:15 . 2012-02-14 09:59 945224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-12-27 08:15 . 2012-02-05 13:16 945224 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-02-05 13:16 276452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-14 09:59 276452 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-02-14 10:00 1212416 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-02-05 13:16 1212416 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-12-26 07:21 . 2012-02-07 09:09 2107516 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2206718413-4200557095-4090096804-1000-12288.dat
+ 2009-07-14 04:54 . 2012-02-14 10:00 14139392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-05 13:16 14139392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-05 13:16 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-14 10:00 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-02-07 09:08 . 2012-01-05 01:02 54008112 c:\windows\system32\MRT.exe
+ 2011-12-25 15:42 . 2012-02-14 09:59 24655700 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2206718413-4200557095-4090096804-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-12-25 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Aim"="c:\program files (x86)\AIM\aim.exe" [2011-05-03 4321112]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2011-07-12 1298816]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2011-06-22 3218864]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 136176]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 136176]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2011-07-12 57216]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-06-10 138152]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-07-19 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-07-19 126392]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 05:34]
.
2012-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-11 05:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-08 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-08 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-08 418136]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2011-06-10 710560]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com/?cid=C001B2Y
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\evo5924n.default\
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.13.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-02-14 03:06:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-14 10:06
ComboFix2.txt 2012-02-05 13:23
.
Pre-Run: 197,036,855,296 bytes free
Post-Run: 197,042,679,808 bytes free
.
- - End Of File - - 9912FDC4581BEE4535FF54C00CBFF5EB

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 14 February 2012 - 10:44 AM

Hello

I will run MBAM in a few min so wait on that

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 February 2012 - 12:49 PM

Here's the log. I did run Avast before I saw your post, but it only removed the consrv.dll file that ComboFix had previously quarantined (and which MS tech support previously assured me was safe to remove) plus two unrelated temporary IE files.


Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2) MUI
AIM 7
Apple Application Support
Apple Software Update
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
avast! Free Antivirus
Bejeweled 3
Cave Story Deluxe
Chuzzle Deluxe
Cisco Connect
D3DX10
Download Updater (AOL LLC)
FATE - The Traitor Soul
Fishdom ™ 2
Flixster Collections
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Intel® Management Engine Components
Intel® Processor Graphics
Intel® Rapid Storage Technology
Java Auto Updater
Java™ 6 Update 22
Java™ 6 Update 25
Junk Mail filter update
Label@Once 1.0
Left 4 Dead
Left 4 Dead 2
Mabinogi
Malwarebytes Anti-Malware version 1.60.0.1800
Mesh Runtime
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox 9.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
Nexon Game Manager
NSIS SWR English
Oblivion
OpenOffice.org 3.3
Pando Media Booster
Penguins!
Plants vs. Zombies - Game of the Year
Plants vs. Zombies: Game of the Year
PlayReady PC Runtime x86
Polar Bowler
Portal 2
Realtek USB 2.0 Card Reader
Realtek WLAN Driver
Revo Uninstaller 1.93
RGSS-RTP Standard
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Skype Launcher
Skype? 5.5
Steam
Tom Clancy's Splinter Cell
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
Toshiba Laptop Checkup
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
Toshiba Online Backup
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Resolution+ Plug-in for Windows Media Player
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TOSHIBA Web Camera Application
TOSHIBA Wireless LAN Indicator
TOSHIBARegistration
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update Installer for WildTangent Games App
Virtual Villagers 5 - New Believers
WildTangent Games
WildTangent Games App (Toshiba Games)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma's Revenge
東方緋想天 Ver1.06a

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 14 February 2012 - 05:57 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 22
Java™ 6 Update 25
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 February 2012 - 02:02 AM

Okay, I was successfully able to run all of the programs on the list. Revo proceeded without problem, though Update 22 did not have any leftovers that were picked up at the Moderate level. Java installed without problem, and TFC ran fine. I did a Quick Scan with MBAM and detected no objects; the log is below. (Should I try a full scan instead?) Lastly, after running as an administrator I was able to successfully generate a log with HijackThis, also posted below.

MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.15.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick :: SATELLITE-NEO [administrator]

2/14/2012 11:50:35 PM
mbam-log-2012-02-14 (23-50-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183044
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:58:01 PM, on 2/14/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Toshiba Laptop Checkup Application Launcher (Norton PC Checkup Application Launcher) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9462 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:09 PM

Posted 15 February 2012 - 08:44 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
      O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
      O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Solan

Solan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 February 2012 - 02:07 PM

I elected to skip step 1, since after review, all the items on there are either problems I want to have active on startup, or auto-updaters for core programs I use frequently. Step 2 ran smoothly, but only created one detection (listed below). I strongly believe this is a false positive result, though; Client.exe is the main program file for Mabinogi, an MMO I frequently play. I especially have a feeling this is a false positive since I uninstalled the Mabinogi client using Revo well after symptoms started appearing, and then reinstalled. Other than Client.exe, ESET didn't find anything.

ESET results:

C:\Nexon\Mabinogi\Client.exe a variant of Win32/Packed.Themida application




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users