Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef virus/trojan - Laptop restarting - Vista 32 bit


  • This topic is locked This topic is locked
18 replies to this topic

#1 jtsm

jtsm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 27 July 2012 - 12:12 PM

This is my first post. Thanks in advance for any help you can provide!

This problem is on a Toshiba Satellite A215 running Windows Vista 32-bit version.

The Microsoft Security Essentials icon in the tray turned red, as if the service was turned off. I was having trouble getting it turned back on, so I went to the control panel and uninstalled the service. I downloaded a new copy from the Microsoft website and reinstalled.

Soon after installing, I got a message saying that threats had been cleaned off the computer and then another saying that 2 threats had been quarantined. The threats quarantined were:

Virus:win32/sirefef.R and Trojan:win32/sirefef.AH

As this threat message pops up, I then get a window open telling me that Windows has encountered a critical error and will shut down in one minute.

It restarts, stays on for about 90 seconds, but then shutdowns again with the same message about detecting sirefef.R and .AH

Again, thanks in advance for your help! I'm not very knowledgeable about computers, but I can follow directions!!

BC AdBot (Login to Remove)

 


#2 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 30 July 2012 - 11:58 PM

Here's the logs:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 31-07-2012 00:17:56
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [411192 2007-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [55416 2006-12-07] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [448080 2007-06-15] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [538744 2007-05-22] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] NDSTray.exe [x]
HKLM\...\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup [1862144 2007-08-22] (Google)
HKLM\...\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [90112 2006-11-10] ()
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-14] (Adobe Systems Incorporated)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-10-14] (Hewlett-Packard)
HKLM\...\Run: [hpqSRMon] [x]
HKLM\...\Run: [] [x]
HKLM\...\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe" [395144 2011-05-17] (Ask)
HKLM\...\Run: [zvvvS22ibF3nGaQ] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Default\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
HKU\Default User\...\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
HKU\Frank\...\Run: [TOSCDSPD] TOSCDSPD.EXE [x]
HKU\Frank\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-02-15] (Google Inc.)
HKU\Frank\...\Run: [I8ggTZqqh] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
HKU\Frank\...\Run: [R77ffEL99TZqjC] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
HKU\Frank\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Frank\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Frank\...\Winlogon: [Shell] explorer.exe [x]
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [25088 2008-01-18] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

================================ Services (Whitelisted) ==================

2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 GoogleDesktopManager; "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [1862144 2007-08-22] (Google)
2 Lavasoft Ad-Aware Service; "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" [2152152 2011-09-02] (Lavasoft Limited)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
2 pinger; C:\Toshiba\IVP\ISM\pinger.exe [136816 2007-01-25] ()
2 ptumlcmsvc; C:\Windows\system32\ptumlcmsvc.exe [106496 2011-04-29] (DEVGURU Co., LTD)
2 TosCoSrv; "C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe" [427576 2007-03-29] (TOSHIBA Corporation)
2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [x]

========================== Drivers (Whitelisted) =============

0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64512 2011-06-20] (Lavasoft AB)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 PTDMBus; C:\Windows\System32\DRIVERS\PTDMBus.sys [55056 2009-11-02] (DEVGURU Co., LTD.)
3 PTDMMdm; C:\Windows\System32\DRIVERS\PTDMMdm.sys [160912 2009-11-02] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDMVsp; C:\Windows\System32\DRIVERS\PTDMVsp.sys [160912 2009-11-02] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTDMWFLT; C:\Windows\System32\DRIVERS\PTDMWFLT.sys [13456 2009-11-02] (DEVGURU Co., LTD.)
3 PTDMWWAN; C:\Windows\System32\DRIVERS\PTDMWWAN.sys [118800 2009-11-02] (DEVGURU Co., LTD.)
3 PTUMLBUS; C:\Windows\System32\DRIVERS\PTUMLBUS.sys [59664 2011-04-29] (DEVGURU Co., LTD.)
3 PTUMLCVsp; C:\Windows\System32\DRIVERS\PTUMLCVsp.sys [168208 2011-04-29] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLMdm; C:\Windows\System32\DRIVERS\PTUMLMdm.sys [168208 2011-04-29] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLNET; C:\Windows\System32\DRIVERS\PTUMLNET.sys [80912 2011-04-29] (DEVGURU Co., LTD.)
3 PTUMLNVsp; C:\Windows\System32\DRIVERS\PTUMLNVsp.sys [168848 2011-04-29] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 PTUMLRMNET; C:\Windows\System32\DRIVERS\PTUMLRMNET.sys [59920 2011-04-29] (DEVGURU Co., LTD.)
3 PTUMLVsp; C:\Windows\System32\DRIVERS\PTUMLVsp.sys [168208 2011-04-29] (DEVGURU Co., LTD.(www.devguru.co.kr))
3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347648 2009-04-23] (Realtek Semiconductor Corporation )
3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 Tosrfcom; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-31 00:17 - 2012-07-31 00:17 - 00000000 ____D C:\FRST
2012-07-25 08:11 - 2012-07-25 08:11 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dzpfoskl.sys
2012-07-25 08:01 - 2012-07-25 08:07 - 00000384 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-07-24 19:03 - 2012-07-24 19:03 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-24 18:48 - 2012-07-24 18:48 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(3).exe
2012-07-24 18:41 - 2012-07-24 18:41 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(2).exe
2012-07-24 18:20 - 2012-07-24 18:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(1).exe
2012-07-23 19:03 - 2012-07-23 19:03 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-22 23:44 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-22 23:04 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-22 23:04 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-22 23:04 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-22 23:04 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-22 23:04 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-22 23:04 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-22 23:04 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-22 23:04 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-22 23:04 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-22 23:04 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-22 23:04 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-22 23:04 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-22 23:04 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-22 23:04 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-22 08:46 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-22 08:45 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-22 08:45 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-22 08:39 - 2012-07-22 08:40 - 00000000 ____D C:\Download
2012-07-22 08:37 - 2012-07-22 08:40 - 00000000 ____D C:\tmpDownload
2012-07-22 08:35 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-22 08:35 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-22 08:35 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-22 08:33 - 2012-07-22 08:34 - 03716509 ____A (YouTube Music Downloader ) C:\Users\Frank\Downloads\youtube_music_downloader.exe
2012-07-11 19:05 - 2012-07-11 19:05 - 00000000 ____D C:\Users\Frank\AppData\Roaming\Template
2012-07-11 19:05 - 2012-07-11 19:05 - 00000000 ____A C:\Users\Frank\AppData\Roaming\wklnhst.dat

============ 3 Months Modified Files ========================

2012-07-25 08:11 - 2012-07-25 08:11 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dzpfoskl.sys
2012-07-25 08:11 - 2011-05-17 19:18 - 00001356 ____A C:\Users\Frank\AppData\Local\d3d9caps.dat
2012-07-25 08:11 - 2009-07-10 01:54 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-25 08:07 - 2012-07-25 08:01 - 00000384 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-07-25 08:06 - 2011-07-03 15:42 - 00022187 ____A C:\aaw7boot.log
2012-07-25 07:56 - 2010-03-02 00:22 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 07:56 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 07:56 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 07:55 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-24 21:09 - 2006-11-02 02:33 - 00706654 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-24 20:22 - 2006-11-02 04:47 - 00405872 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-24 20:11 - 2007-08-22 12:36 - 00060736 ____A C:\Windows\PFRO.log
2012-07-24 19:07 - 2011-07-03 16:38 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-24 19:07 - 2007-09-18 15:22 - 02081729 ____A C:\Windows\WindowsUpdate.log
2012-07-24 18:56 - 2006-11-02 05:01 - 00032552 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-24 18:48 - 2012-07-24 18:48 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(3).exe
2012-07-24 18:43 - 2010-07-01 15:32 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-24 18:41 - 2012-07-24 18:41 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(2).exe
2012-07-24 18:20 - 2012-07-24 18:20 - 10288512 ____A (Microsoft Corporation) C:\Users\Frank\Downloads\mseinstall(1).exe
2012-07-24 12:16 - 2012-03-04 17:45 - 00000436 ___AH C:\Windows\Tasks\Norton Security Scan for Frank.job
2012-07-23 18:58 - 2012-03-31 10:44 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-07-23 18:58 - 2011-09-04 06:44 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-22 23:05 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-22 10:29 - 2011-07-09 03:18 - 00000064 ____A C:\Windows\System32\rp_stats.dat
2012-07-22 10:29 - 2011-07-09 03:18 - 00000044 ____A C:\Windows\System32\rp_rules.dat
2012-07-22 09:47 - 2011-11-27 18:36 - 00001982 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-22 08:34 - 2012-07-22 08:33 - 03716509 ____A (YouTube Music Downloader ) C:\Users\Frank\Downloads\youtube_music_downloader.exe
2012-07-21 14:23 - 2011-08-01 18:25 - 00032375 ____A C:\Users\Frank\Documents\Redskins Schedule.xlsx
2012-07-11 19:05 - 2012-07-11 19:05 - 00000000 ____A C:\Users\Frank\AppData\Roaming\wklnhst.dat
2012-07-11 11:16 - 2011-08-01 17:12 - 00002571 ____A C:\Users\Frank\Desktop\Microsoft Excel 2010.lnk
2012-07-11 07:13 - 2010-12-03 09:01 - 00002613 ____A C:\Users\Frank\Desktop\Microsoft Word 2010.lnk
2012-07-03 18:15 - 2006-11-02 04:52 - 00057992 ____A C:\Windows\setupact.log
2012-06-21 14:23 - 2011-07-13 17:14 - 00030538 ____A C:\Users\Frank\Documents\Bracket group1.xlsx
2012-06-18 13:22 - 2012-06-18 13:22 - 00000000 ____A C:\Windows\setup32.INI
2012-06-13 05:40 - 2012-07-22 23:44 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-10 18:31 - 2012-06-10 17:22 - 00012544 ____A C:\Users\Frank\Documents\football spreadsheet.xlsx
2012-06-08 09:47 - 2012-07-22 08:46 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-22 08:45 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-22 08:45 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-22 08:35 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 13:55 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 13:55 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 13:55 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 13:54 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 13:54 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-21 13:55 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-21 13:54 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 13:54 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-21 13:54 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-22 23:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-22 23:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-22 23:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-22 23:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-22 23:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-22 23:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-22 23:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-22 23:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-22 23:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-22 23:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-22 23:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-22 23:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-22 23:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-22 23:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 16:04 - 2012-07-22 08:35 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-22 08:35 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll


ZeroAccess:
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\@
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\L
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\n
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\U
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\L\00000004.@
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}\L\201d3dde

ZeroAccess:
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}\@
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}\L
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}\n
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 1917.44 MB
Available physical RAM: 1544.38 MB
Total Pagefile: 1749.83 MB
Available Pagefile: 1610 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (SQ004513V03) (Fixed) (Total:184.84 GB) (Free:119.41 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS
4 Drive f: () (Removable) (Total:7.45 GB) (Free:7.4 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 186 GB 3257 KB
Disk 1 Online 7634 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 185 GB 1501 MB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E TOSHIBA SYS NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C SQ004513V03 NTFS Partition 185 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 F FAT32 Removable 7633 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-24 19:06

======================= End Of Log ==========================









Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 00:20:38
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-07-10 01:54] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-07-05 05:17] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

C:\Windows\System32\services.exe
[2009-07-10 01:54] - [2012-07-25 08:11] - 0279552 ____A (Microsoft Corporation) 8737764F4FD36D6808EE80578409C843

=== End Of Search ===


Thanks for your help!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 01 August 2012 - 12:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462717 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 01 August 2012 - 09:56 PM

Thanks for your reply and thanks in advance for your assistance!


My computer is running Windows Vista ™ Home Premium (X86) OS Language: English(US) and is a 32-bit system.

I do not have the original Windows CD available. It came pre-installed.

My computer won't stay on long enough to generate a DDS or GMER log. Even in safe mode it shut downs within about 2 minutes.

I was able to create the FRST and services.exe logs. They are listed above.

What is the next step?

Edited by jtsm, 01 August 2012 - 09:58 PM.


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 AM

Posted 01 August 2012 - 10:21 PM

sorry for the wait, the forum has been very busy lately,

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
HKLM\...\Run: [zvvvS22ibF3nGaQ] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
HKU\Frank\...\Run: [I8ggTZqqh] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
HKU\Frank\...\Run: [R77ffEL99TZqjC] C:\Users\Frank\AppData\Roaming\dwme.exe [x]
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842}
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842}
C:\Windows\assembly\GAC\Desktop.ini
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:58 AM

Posted 01 August 2012 - 10:27 PM

Please disregard.

Edited by Aaflac, 01 August 2012 - 10:28 PM.

Old duck...


#7 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 02 August 2012 - 04:59 AM

I have a question about how long ComboFix usually runs? I followed the instructions and stopped MSE.

ComboFix seemed to be progressing normally. I think it was preparing the Log Report, then the screen went totally blank (dark). It has been dark for about 95 minutes.

Is this normal? I don't want to interrupt the ComboFix process. I think maybe it went into hibernate mode. The screen is dark, I can hear the fan operating, but I don't see the disk activity light flashing. Can I press a button to see if it is in Hibernate mode?

Please advise. Thanks!

Edited by jtsm, 02 August 2012 - 06:05 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 AM

Posted 02 August 2012 - 08:06 AM

yes, please wake the machine, the log may be open on your desktop

if it is not, restart the machine and try running combofix again in safe mode


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 02 August 2012 - 11:06 AM

OK, I restarted the laptop and ComboFix seemed to finish after a few minutes.

Here's the log for ComboFix:

ComboFix 12-07-31.03 - Frank 08/02/2012 5:05.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1128 [GMT -4:00]
Running from: c:\users\Frank\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\LP
c:\program files\LP\B617\1D35.tmp
c:\programdata\34266872
c:\users\Frank\AppData\Local\TempDIR
c:\users\Frank\AppData\Local\TempDIR\BetterInstaller.exe
c:\users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair
c:\users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair\Uninstall Windows Vista Repair.lnk
c:\users\Frank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair\Windows Vista Repair.lnk
c:\users\Frank\Documents\~WRL0015.tmp
c:\users\Frank\Documents\~WRL0103.tmp
c:\users\Frank\Documents\~WRL0502.tmp
c:\users\Frank\Documents\~WRL0888.tmp
c:\users\Frank\Documents\~WRL2927.tmp
c:\users\Frank\Documents\~WRL3105.tmp
c:\users\Frank\Documents\~WRL3635.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-08-02 15:10 . 2012-08-02 15:10 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\offreg.dll
2012-08-02 09:17 . 2012-08-02 15:13 -------- d-----w- c:\users\Frank\AppData\Local\temp
2012-08-02 08:57 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\mpengine.dll
2012-07-31 08:17 . 2012-07-31 08:17 -------- d-----w- C:\FRST
2012-07-25 16:11 . 2012-07-25 16:11 43480 ----a-w- c:\windows\system32\drivers\dzpfoskl.sys
2012-07-25 03:06 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DCD20F3-F02D-47ED-8E43-60ED9E6C0CC6}\gapaengine.dll
2012-07-25 03:05 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-25 03:03 . 2012-07-25 03:03 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-24 03:03 . 2012-07-24 03:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-23 07:44 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-22 16:46 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-22 16:45 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-22 16:45 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-22 16:39 . 2012-07-22 16:40 -------- d-----w- C:\Download
2012-07-22 16:37 . 2012-07-22 16:40 -------- d-----w- C:\tmpDownload
2012-07-22 16:35 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-22 16:35 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-22 16:35 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-12 03:05 . 2012-07-12 03:05 -------- d-----w- c:\users\Frank\AppData\Roaming\Template
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 02:58 . 2012-03-31 18:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-24 02:58 . 2011-09-04 14:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 21:55 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 21:55 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 21:54 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 21:54 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 21:55 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 21:55 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 21:54 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 21:54 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 21:54 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 21:03 . 2011-09-29 02:43 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-22 1862144]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1057712510-994901703-3176631456-1000]
"EnableNotificationsRef"=dword:00000002
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-07-24 c:\windows\Tasks\Norton Security Scan for Frank.job
- c:\progra~1\NORTON~2\Engine\371~1.4\Nss.exe [2012-03-05 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://washingtondc.craigslist.org/tix/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\0fcrdnwf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=16
FF - user.js: extentions.y2layers.installId - 8fb930ac-03a2-4292-8bfd-6e4c8de2e2fe
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,BestVideoDownloader,EzLooker,TwitTube,TopRelatedTopics,Buzzdock,
FF - user.js: security.csp.enable - false
FF - user.js: extensions.autoDisableScopes - 14);//iBryteuser_pref(extensions.BabylonToolbar_i.babTrack, affID=110014&tt=290312_29
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 74662df500000000000000164478c39e
FF - user.js: extensions.BabylonToolbar_i.hardId - 74662df500000000000000164478c39e
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15429
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:31
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-hpqSRMon - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\system32\ptumlcmsvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2012-08-02 11:23:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-02 15:23
.
Pre-Run: 126,051,749,888 bytes free
Post-Run: 126,892,003,328 bytes free
.
- - End Of File - - 2C77DE197E6377043E0A109194A4D146



Here's my Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-08-02 04:41:51 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\zvvvS22ibF3nGaQ Value deleted successfully.
HKEY_USERS\Frank\Software\Microsoft\Windows\CurrentVersion\Run\\I8ggTZqqh Value deleted successfully.
HKEY_USERS\Frank\Software\Microsoft\Windows\CurrentVersion\Run\\R77ffEL99TZqjC Value deleted successfully.
C:\Windows\Installer\{3b803de2-9b3a-e14d-88f0-70942e83e842} moved successfully.
C:\Users\Frank\AppData\Local\{3b803de2-9b3a-e14d-88f0-70942e83e842} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini not found.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 AM

Posted 02 August 2012 - 11:24 AM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FireFox::
FF - ProfilePath - c:\users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\0fcrdnwf.default\
FF - user.js: extensions.autoDisableScopes - 14);//iBryteuser_pref(extensions.BabylonToolbar_i.babTrack, affID=110014&tt=290312_29
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 74662df500000000000000164478c39e
FF - user.js: extensions.BabylonToolbar_i.hardId - 74662df500000000000000164478c39e
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15429
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:31
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 02 August 2012 - 09:44 PM

My laptop is working much better. Here are the logs you requested:

ComboFix:

ComboFix 12-07-31.03 - Frank 08/02/2012 19:26:38.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1118 [GMT -4:00]
Running from: c:\users\Frank\Desktop\ComboFix.exe
Command switches used :: c:\users\Frank\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-08-02 23:34 . 2012-08-02 23:34 -------- d-----w- c:\users\Frank\AppData\Local\temp
2012-08-02 23:34 . 2012-08-02 23:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-02 23:09 . 2012-08-02 23:09 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\offreg.dll
2012-08-02 08:57 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\mpengine.dll
2012-07-31 08:17 . 2012-07-31 08:17 -------- d-----w- C:\FRST
2012-07-25 16:11 . 2012-07-25 16:11 43480 ----a-w- c:\windows\system32\drivers\dzpfoskl.sys
2012-07-25 03:06 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DCD20F3-F02D-47ED-8E43-60ED9E6C0CC6}\gapaengine.dll
2012-07-25 03:05 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-25 03:03 . 2012-07-25 03:03 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-24 03:03 . 2012-07-24 03:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-23 07:44 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-22 16:46 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-22 16:45 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-22 16:45 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-22 16:39 . 2012-07-22 16:40 -------- d-----w- C:\Download
2012-07-22 16:37 . 2012-07-22 16:40 -------- d-----w- C:\tmpDownload
2012-07-22 16:35 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-22 16:35 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-22 16:35 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-12 03:05 . 2012-07-12 03:05 -------- d-----w- c:\users\Frank\AppData\Roaming\Template
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 02:58 . 2012-03-31 18:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-24 02:58 . 2011-09-04 14:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 21:55 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 21:55 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 21:54 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 21:54 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 21:55 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 21:55 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 21:54 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 21:54 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 21:54 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 21:03 . 2011-09-29 02:43 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-22 1862144]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1057712510-994901703-3176631456-1000]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-07-24 c:\windows\Tasks\Norton Security Scan for Frank.job
- c:\progra~1\NORTON~2\Engine\371~1.4\Nss.exe [2012-03-05 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://washingtondc.craigslist.org/tix/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\0fcrdnwf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=16
FF - user.js: extentions.y2layers.installId - 8fb930ac-03a2-4292-8bfd-6e4c8de2e2fe
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,BestVideoDownloader,EzLooker,TwitTube,TopRelatedTopics,Buzzdock,
FF - user.js: security.csp.enable - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-02 19:34
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-02 19:38:18
ComboFix-quarantined-files.txt 2012-08-02 23:38
ComboFix2.txt 2012-08-02 15:23
.
Pre-Run: 126,933,610,496 bytes free
Post-Run: 126,900,224,000 bytes free
.
- - End Of File - - 2A00CAB2BB9F4FB83E503B5D8E159A9F


MBAM:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Frank :: NFL1 [administrator]

Protection: Enabled

8/2/2012 7:48:46 PM
mbam-log-2012-08-02 (19-48-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192776
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Frank\Downloads\DownloadManager_Setup(1).exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\Frank\Downloads\DownloadManager_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)



ESETSCAN:

C:\FRST\Quarantine\services.exe Win32/Sirefef.FB.Gen trojan
C:\FRST\Quarantine\{3b803de2-9b3a-e14d-88f0-70942e83e842}\n a variant of Win32/Kryptik.AIVX trojan
C:\FRST\Quarantine\{3b803de2-9b3a-e14d-88f0-70942e83e842}\{3b803de2-9b3a-e14d-88f0-70942e83e842}\n a variant of Win32/Kryptik.AIVX trojan
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application
C:\Program Files\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\ProgramData\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Users\Frank\AppData\Local\TempDIR\BetterInstaller.exe.vir a variant of Win32/Somoto.A application
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
Operating memory Win32/Toolbar.Babylon application

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 AM

Posted 03 August 2012 - 03:13 AM

go into Programs and Features and see if Babylon toolbar is listed, if it is, remove it.


Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll 
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll 
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe 
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll 
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll 
C:\Program Files\Yontoo\YontooIEClient.dll 
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
C:\ProgramData\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll 
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll 
C:\Users\All Users\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.
NEXT

Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 August 2012 - 02:18 PM

Thanks for your help! Babylon toolbar has been removed.

Here's the logs:

ComboFix 12-07-31.06 - Frank 08/03/2012 14:37:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.707 [GMT -4:00]
Running from: c:\users\Frank\Desktop\ComboFix.exe
Command switches used :: c:\users\Frank\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll"
"c:\program files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarEng.dll"
"c:\program files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe"
"c:\program files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll"
"c:\program files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll"
"c:\program files\Yontoo\YontooIEClient.dll"
"c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\programdata\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yontoo\YontooIEClient.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\users\All Users\Tarma Installer\{ED7702F7-093C-4968-8B84-3CF5D1A3F23D}\_Setupx.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-03 to 2012-08-03 )))))))))))))))))))))))))))))))
.
.
2012-08-03 18:45 . 2012-08-03 18:45 -------- d-----w- c:\users\Frank\AppData\Local\temp
2012-08-03 18:45 . 2012-08-03 18:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-03 00:35 . 2012-08-03 00:35 -------- d-----w- c:\program files\ESET
2012-08-03 00:09 . 2012-08-03 00:09 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\offreg.dll
2012-08-02 23:47 . 2012-08-02 23:47 -------- d-----w- c:\users\Frank\AppData\Roaming\Malwarebytes
2012-08-02 23:47 . 2012-08-02 23:47 -------- d-----w- c:\programdata\Malwarebytes
2012-08-02 23:47 . 2012-08-02 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-02 23:47 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-02 08:57 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A4B079B3-C6DC-4480-95D4-F866E1B2C430}\mpengine.dll
2012-07-31 08:17 . 2012-07-31 08:17 -------- d-----w- C:\FRST
2012-07-25 16:11 . 2012-07-25 16:11 43480 ----a-w- c:\windows\system32\drivers\dzpfoskl.sys
2012-07-25 03:06 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3DCD20F3-F02D-47ED-8E43-60ED9E6C0CC6}\gapaengine.dll
2012-07-25 03:05 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-25 03:03 . 2012-07-25 03:03 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-24 03:03 . 2012-07-24 03:03 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-23 07:44 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-22 16:46 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-22 16:45 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-22 16:45 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-22 16:39 . 2012-07-22 16:40 -------- d-----w- C:\Download
2012-07-22 16:37 . 2012-07-22 16:40 -------- d-----w- C:\tmpDownload
2012-07-22 16:35 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-22 16:35 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-22 16:35 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-12 03:05 . 2012-07-12 03:05 -------- d-----w- c:\users\Frank\AppData\Roaming\Template
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 02:58 . 2012-03-31 18:44 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-24 02:58 . 2011-09-04 14:44 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 21:55 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 21:55 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 21:54 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 21:54 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 21:55 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 21:55 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 21:54 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 21:54 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 21:54 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-22 21:03 . 2011-09-29 02:43 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-10 4702208]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-22 1862144]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1057712510-994901703-3176631456-1000]
"EnableNotificationsRef"=dword:00000002
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 08:21]
.
2012-07-24 c:\windows\Tasks\Norton Security Scan for Frank.job
- c:\progra~1\NORTON~2\Engine\371~1.4\Nss.exe [2012-03-05 06:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://washingtondc.craigslist.org/tix/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\users\Frank\AppData\Roaming\Mozilla\Firefox\Profiles\0fcrdnwf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=16
FF - user.js: extentions.y2layers.installId - 8fb930ac-03a2-4292-8bfd-6e4c8de2e2fe
FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,BestVideoDownloader,EzLooker,TwitTube,TopRelatedTopics,Buzzdock,
FF - user.js: security.csp.enable - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-03 14:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-03 14:49:38
ComboFix-quarantined-files.txt 2012-08-03 18:49
ComboFix2.txt 2012-08-02 23:38
ComboFix3.txt 2012-08-02 15:23
.
Pre-Run: 126,664,806,400 bytes free
Post-Run: 126,635,982,848 bytes free
.
- - End Of File - - B21F6C21CD8D051CF0979A72C3B7ADB7









MiniToolBox by Farbar Version: 23-07-2012
Ran by Frank (administrator) on 03-08-2012 at 15:05:24
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 7.1.8)
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Ad-Aware (Version: 9.0.6)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.265)
Adobe Flash Player 11 Plugin (Version: 11.3.300.265)
Adobe Reader 8.1.3 (Version: 8.1.3)
Adobe Shockwave Player 11.6 (Version: 11.6.5.635)
AIO_Scan (Version: 100.0.206.000)
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 1.12.2.0)
ATI Catalyst Install Manager (Version: 3.0.641.0)
Bluetooth Stack for Windows by Toshiba (Version: v5.10.14(T))
Bonjour (Version: 3.0.0.10)
BufferChm (Version: 100.0.170.000)
C5200 (Version: 100.0.206.000)
C5200_Help (Version: 100.0.206.000)
Cards_Calendar_OrderGift_DoMorePlugout (Version: 1.00.0000)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Core Implementation (Version: 2007.0727.2307.39475)
Catalyst Control Center Graphics Full Existing (Version: 2007.0727.2307.39475)
Catalyst Control Center Graphics Full New (Version: 2007.0727.2307.39475)
Catalyst Control Center Graphics Light (Version: 2007.0727.2307.39475)
Catalyst Control Center Graphics Previews Vista (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Chinese Standard (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Chinese Traditional (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Czech (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Danish (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Dutch (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Finnish (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization French (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization German (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Greek (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Hungarian (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Italian (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Japanese (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Korean (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Norwegian (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Polish (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Portuguese (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Russian (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Spanish (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Swedish (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Thai (Version: 2007.0727.2307.39475)
Catalyst Control Center Localization Turkish (Version: 2007.0727.2307.39475)
ccc-core-static (Version: 2007.0727.2307.39475)
ccc-utility (Version: 2007.0727.2307.39475)
CCC Help Chinese Standard (Version: 2007.0727.2306.39475)
CCC Help Chinese Traditional (Version: 2007.0727.2306.39475)
CCC Help Czech (Version: 2007.0727.2306.39475)
CCC Help Danish (Version: 2007.0727.2306.39475)
CCC Help Dutch (Version: 2007.0727.2306.39475)
CCC Help English (Version: 2007.0727.2306.39475)
CCC Help Finnish (Version: 2007.0727.2306.39475)
CCC Help French (Version: 2007.0727.2306.39475)
CCC Help German (Version: 2007.0727.2306.39475)
CCC Help Greek (Version: 2007.0727.2306.39475)
CCC Help Hungarian (Version: 2007.0727.2306.39475)
CCC Help Italian (Version: 2007.0727.2306.39475)
CCC Help Japanese (Version: 2007.0727.2306.39475)
CCC Help Korean (Version: 2007.0727.2306.39475)
CCC Help Norwegian (Version: 2007.0727.2306.39475)
CCC Help Polish (Version: 2007.0727.2306.39475)
CCC Help Portuguese (Version: 2007.0727.2306.39475)
CCC Help Russian (Version: 2007.0727.2306.39475)
CCC Help Spanish (Version: 2007.0727.2306.39475)
CCC Help Swedish (Version: 2007.0727.2306.39475)
CCC Help Thai (Version: 2007.0727.2306.39475)
CCC Help Turkish (Version: 2007.0727.2306.39475)
CD/DVD Drive Acoustic Silencer (Version: 2.01.03)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Copy (Version: 100.0.170.000)
CustomerResearchQFolder (Version: 1.00.0000)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destination Component (Version: 100.0.0.0)
DeviceDiscovery (Version: 100.0.190.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 10.0.0.0)
DocProcQFolder (Version: 1.00.0000)
DVD MovieFactory for TOSHIBA (Version: 5.3)
ESET Online Scanner v3
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 100.0.187.000)
Google Chrome (Version: 21.0.1180.60)
Google Desktop (Version: -)
Google Earth Plug-in (Version: 6.2.2.6613)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.115)
GPBaseService (Version: 100.0.187.000)
HP Customer Participation Program 10.0 (Version: 10.0)
HP Imaging Device Functions 10.0 (Version: 10.0)
HP Photosmart All-In-One Driver Software 10.0 Rel .2 (Version: 10.0)
HP Photosmart Essential 2.5 (Version: 1.02.0000)
HP Photosmart Essential 2.5 (Version: 2.5)
HP Smart Web Printing (Version: 3.5)
HP Solution Center 10.0 (Version: 10.0)
HP Update (Version: 5.003.001.001)
HPPhotoSmartDiscLabel_PaperLabel (Version: 2.02.0000)
HPPhotoSmartDiscLabel_PrintOnDisc (Version: 2.02.0000)
HPPhotoSmartDiscLabelContent1 (Version: 2.02.0000)
hpphotosmartdisclabelplugin (Version: 2.02.0000)
HPPhotoSmartPhotobookWebPack1 (Version: 1.00.0000)
HPProductAssistant (Version: 100.0.170.000)
HPSSupply (Version: 100.0.170.000)
iCloud (Version: 1.1.0.40)
iTunes (Version: 10.6.0.40)
Java™ 6 Update 2 (Version: 1.6.0.20)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
MarketResearch (Version: 100.0.170.000)
McAfee Security Scan Plus (Version: 2.0.181.2)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Works (Version: 9.7.0621)
Microsoft XML Parser (Version: 8.20.8730.4)
Mozilla Firefox 13.0.1 (x86 en-US) (Version: 13.0.1)
Mozilla Maintenance Service (Version: 13.0.1)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
muvee Plugin 1.0 (Version: 1.01.100)
Napster (Version: 3.8.1.4)
Napster Burn Engine (Version: 3.5.0000)
NBA Live 2003
Norton Security Scan (Version: 3.7.1.4)
OCR Software by I.R.I.S. 10.0 (Version: 10.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Oregon Trail® 5
PanoStandAlone (Version: 100.0.170.000)
PANTECH PC USB Modem Software (Version: 3.2.4074.1103)
PANTECH UML290 (Version: 1.5.33.0429)
Picasa 2 (Version: 2.0)
PS_AIO_02_ProductContext (Version: 100.0.206.000)
PS_AIO_02_Software (Version: 100.0.206.000)
PS_AIO_02_Software_Min (Version: 100.0.206.000)
PSSWCORE (Version: 2.02.0000)
QuickBooks Financial Center (Version: 1.00.0000)
QuickTime (Version: 7.71.80.42)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.5464)
REALTEK RTL8187B Wireless LAN Driver (Version: Package:1.00.0008 Driver:6.1089.601.2007)
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 (Version: 3.51.01)
Scan (Version: 10.1.0.0)
Shop for HP Supplies (Version: 10.0)
Skins (Version: 2007.0727.2307.39475)
SmartWebPrintingOC (Version: 100.0.189.000)
SolutionCenter (Version: 100.0.175.000)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Status (Version: 100.0.175.000)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 10.0.11.1)
Toolbox (Version: 100.0.170.000)
TOSHIBA Assist (Version: 2.01.05)
TOSHIBA ConfigFree (Version: 7.00.32)
TOSHIBA Disc Creator (Version: 2.0.0.8)
TOSHIBA DVD PLAYER (Version: 1.10.08)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Games (Version: TOSH0501)
TOSHIBA Hardware Setup (Version: 2.00.06)
Toshiba Registration (Version: 1.00.0000)
TOSHIBA SD Memory Utilities (Version: 1.8.1.1)
TOSHIBA Software Modem (Version: 2.1.77 (SM2177ALD04))
TOSHIBA Software Upgrades (Version: 4.2)
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 2.00.02)
TOSHIBA Value Added Package (Version: 1.0.28)
TrayApp (Version: 100.0.170.000)
UM150 Firmware Updates (Version: 1.0.0)
Unity Web Player (Version: )
UnloadSupport (Version: 10.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Verizon Wireless UML290 Firmware Updates (Version: 1.0.4)
VideoToolkit01 (Version: 100.0.128.000)
VZAccess Manager (Version: 7.6.3.5)
WebReg (Version: 100.0.170.000)
Winbond CIR Device Drivers (Version: 7.60.1003)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)
Yontoo 1.10.02 (Version: 1.10.02)
Youtube Music Downloader 3.0 (Version: 3.0)

**** End of log ****







Farbar Service Scanner Version: 26-07-2012
Ran by Frank (administrator) on 03-08-2012 at 15:10:55
Running from "C:\Users\Frank\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:58 AM

Posted 03 August 2012 - 04:40 PM

your BITS reg keys are missing so please download the attached reg fix, unzip it to your desktop and run it, allow it to merge to your registry (then you can delete it as you wont need it any more.

[attachment=127870:vistaBITS.zip]


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.





NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp



NEXT


Please advise how the computer is running now and if there are any outstanding issue

Edited by CatByte, 03 August 2012 - 04:41 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jtsm

jtsm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 03 August 2012 - 11:07 PM

The computer seems to be running normally.

MSE is updated and working. MBAM is updated and working.

Is there anything else to do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users