Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirection Virus


  • This topic is locked This topic is locked
23 replies to this topic

#1 Dombro

Dombro

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 15 February 2013 - 07:49 AM

Hello IT Gods,

 

One of my computers has come down with a Google redirect virus and I would like to request assistance if possible. I have no idea how to get rid of it.

 

Any help would be much appreciated. If you could please advise of the first steps that would be very helpful.

 

Cheers,

Dombro



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 15 February 2013 - 11:58 AM

Hi and welcome!!

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
  • ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt

    Attach.txt
    ----------

    aswmbr-1-1.jpg Please download aswMBR to your desktop.
    • Double click the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • If you are asked to update the Avast Virus database please allow it to do so.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
    aswmbrscan.jpg
    Click the image to enlarge it
    ----------

    adwcleaner.jpgAdwCleaner
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • You will be prompted to restart your computer. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 15 February 2013 - 04:35 PM

Thank you for your fast reply!

 

dds files:

dds:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by user at 8:11:33 on 2013-02-16
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.3069.1756 [GMT 11:00]
.
AV: Norton Internet Security *Enabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\TAMSvr.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\UNICORN\Bin\USBp950-Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TRCMan\TRCMan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
C:\Program Files\TrueSuite Access Manager\usbnotify.exe
C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\TrueSuite Access Manager\pwdbank.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TrueSuite Access Manager\CssSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
D:\UNICORN\Bin\clstorage.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://au.yahoo.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.1.0.24\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.1.0.24\ips\IPSBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.1.0.24\CoIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.1.0.24\CoIEPlg.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ITSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TRCMan] c:\program files\toshiba\trcman\TRCMan.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"
mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"
mRun: [HDMICtrlMan] c:\program files\toshiba\hdmictrlman\HDMICtrlMan.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UDS] d:\unicorn\bin\Uds.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{01EBC71F-CB2D-4D63-830A-0A90D88B4962} : DHCPNameServer = 123.200.191.17 123.200.191.18
TCP: Interfaces\{E8E33098-125A-4F0A-B15F-96E09409E1D3} : DHCPNameServer = 123.200.191.17 123.200.191.18
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2008-7-6 43440]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1401000.018\SymDS.sys [2012-11-4 368288]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1401000.018\SymEFA.sys [2012-11-4 926880]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.1.0.24\definitions\bashdefs\20120815.002\BHDrvx86.sys [2012-11-4 995488]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1401000.018\ccSetx86.sys [2012-11-4 134304]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.1.0.24\definitions\ipsdefs\20120811.001\IDSVix86.sys [2012-11-4 386208]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1401000.018\Ironx86.sys [2012-11-4 175264]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1401000.018\symtdiv.sys [2012-11-4 350368]
R2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2008-7-6 49152]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-26 40960]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.1.0.24\ccSvcHst.exe [2012-11-4 143928]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-4 126976]
R2 USB p950 Service;USB p950 Service;d:\unicorn\bin\USBp950-Service.exe [2011-5-12 19968]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-11-4 106656]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-12 7168]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-29 43008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-12-4 1153368]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-16 25832]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2011-2-28 112640]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-4 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-4 367456]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WordPad.exe="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-02-15 12:02:08    --------    d-----w-    c:\users\user\appdata\local\temp
2013-02-15 12:01:21    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-02-15 11:44:52    98816    ----a-w-    c:\windows\sed.exe
2013-02-15 11:44:52    256000    ----a-w-    c:\windows\PEV.exe
2013-02-15 11:44:52    208896    ----a-w-    c:\windows\MBR.exe
2013-01-19 21:40:35    147456    --sha-r-    c:\windows\system32\XAudio2_03.dll
2013-01-19 21:40:35    147456    --sha-r-    c:\windows\system32\acppagek.dll
.
==================== Find3M  ====================
.
2012-12-14 05:53:24    189248    ----a-w-    c:\windows\system32\PnkBstrB.exe
2012-12-14 05:53:20    75136    ----a-w-    c:\windows\system32\PnkBstrA.exe
.
============= FINISH:  8:11:47.30 ===============
 

Attach:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 5/07/2008 8:52:34 AM
System Uptime: 16/02/2013 7:58:09 AM (1 hours ago)
.
Motherboard: Intel Corp. |  | Base Board Product Name
Processor: Intel® Core™2 Duo CPU     T9300  @ 2.50GHz | CPU | 2501/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 290 GiB total, 48.347 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 196.665 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0017
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #4
PNP Device ID: ROOT\*6TO4MP\0017
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0031
Manufacturer: Microsoft
Name: isatap.{5C7C12DC-F0D7-4A92-86D1-906F008370C1}
PNP Device ID: ROOT\*ISATAP\0031
Service: tunnel
.
==== System Restore Points ===================
.
RP639: 19/01/2013 12:14:34 PM - Scheduled Checkpoint
RP640: 15/02/2013 11:41:11 PM - Restore Operation
.
==== Installed Programs ======================
.
Activation Assistant for the 2007 Microsoft Office suites
ActiveState ActiveTcl 8.4.19.5
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.4)
Age of Mythology
Aperio ImageScope
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Assassin's Creed
Assassin's Creed ® III
Assassin's Creed Brotherhood
Assassin's Creed II
Assassin's Creed Revelations
ATI Catalyst Install Manager
AutoUpdate
Battle.net
Bluetooth Stack for Windows by Toshiba
Bonjour
Business Contact Manager for Outlook 2007 SP1
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
CCleaner
CCP4 6.3.0.1
CD/DVD Drive Acoustic Silencer
CorsixTH Beta 8
Dark Messiah 
DBForms from MS Access to ASP.Net+MS SQL
Definition update for Microsoft Office 2010 (KB982726)
Diablo
Diablo II
DivX Codec
DivX Version Checker
DivX Web Player
Dragon Age: Origins
Dungeon Siege Legends of Aranna
DVD MovieFactory for TOSHIBA
Easy DVD Player 2.0
EndNote X4
F.E.A.R. 3
Far Cry 2
FEAR
FEAR Extraction Point
FEAR Perseus Mandate
File Type Assistant
FLV Player 2.0 (build 25)
FM Tuner Utility
Free File Viewer 2011
Free MP3 WMA Cutter 3.7.0.1
Google Chrome
Google Earth
Google Update Helper
HDMI Control Manager
Heroes of Might and Magic II
Heroes of Might and Magic IV: Winds of War
Heroes of Might and Magic V
Heroes of Might and Magic® III Complete
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
iMosflm
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java™ 6 Update 29
Java™ 6 Update 3
K-Lite Codec Pack 6.5.0 (Basic)
Kingdoms of Amalur: Reckoning
Legendary
LimeWire 4.18.8
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 3
Microsoft ASP.NET Web Pages
Microsoft Choice Guard
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2010
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 RsFx Driver
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 Setup Support Files 
Microsoft SQL Server Browser
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ Run Time  Lib Setup
Microsoft Web Platform Installer 3.0
Microsoft XML Parser
Might and Magic® IX
Might and Magic® VI
Might and Magic® VII
Might and Magic® VIII: Day of the Destroyer™
MP4 MP3 Converter v4.1 build 1289
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Neverwinter Nights 2
Neverwinter Nights Gold Edition
Norton Internet Security
NVIDIA PhysX
OLYMPUS Master 2
OPC Core Components Redistributable (x86) 105.1
Origin
Pac-Man Adventures in Time
Plants vs. Zombies
PopCap Browser Plugin
Prism Video File Converter
PUGGSY 1.0
PunkBuster Services
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
RealUpgrade 1.1
ResearchSoft Direct Export Helper
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for Windows Media Encoder (KB954156)
Skins
Skype Click to Call
Skype™ 5.5
SpellForce
Spybot - Search & Destroy
SQL Server 2008 R2 Common Files
SQL Server 2008 R2 Database Engine Services
SQL Server 2008 R2 Database Engine Shared
Sql Server Customer Experience Improvement Program
Steam
Sweet Home 3D version 3.7
Switch Sound File Converter
Synaptics Pointing Device Driver
The Elder Scrolls V: Skyrim
Theme Hospital
Theme Park World
Theme Park World Fix
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
TOSHIBA Remote Control Manager
TOSHIBA SD Memory Utilities
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TrueSuite Access Manager
Ubisoft Game Launcher
UNICORN 5.31
Unreal Tournament 3
Uplay
Vampire - The Masquerade Bloodlines
VC80CRTRedist - 8.0.50727.762
Virgin Mobile
Winbond CIR Device Drivers
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Player 5.2
WinRAR archiver
Wireless Broadband
Worms Armageddon
Xfire (remove only)
.
==== Event Viewer Messages From Past Week ========
.
12/02/2013 8:40:35 PM, Error: Service Control Manager [7001]  - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error:  The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/02/2013 2:42:22 PM, Error: cdrom [11]  - The driver detected a controller error on \Device\CdRom0.
12/02/2013 10:21:56 PM, Error: Service Control Manager [7043]  - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================
 
aswMBR log:
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-02-16 08:21:21
-----------------------------
08:21:21.974    OS Version: Windows 6.0.6001 Service Pack 1
08:21:21.974    Number of processors: 2 586 0x1706
08:21:21.975    ComputerName: ARCHANGEL  UserName: user
08:21:34.555    Initialize success
08:21:45.096    AVAST engine download error: 0
08:22:06.311    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
08:22:06.314    Disk 0 Vendor: TOSHIBA_ LV01 Size: 305245MB BusType: 3
08:22:06.316    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
08:22:06.318    Disk 1 Vendor: TOSHIBA_ LV01 Size: 305245MB BusType: 3
08:22:06.360    Disk 0 MBR read successfully
08:22:06.364    Disk 0 MBR scan
08:22:06.366    Disk 0 Windows VISTA default MBR code
08:22:06.395    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
08:22:06.443    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       297450 MB offset 3074048
08:22:06.520    Disk 0 Partition 3 00     17 Hidd HPFS/NTFS NTFS         6286 MB offset 612251648
08:22:06.525    Disk 0 scanning sectors +625125376
08:22:06.640    Disk 0 scanning C:\Windows\system32\drivers
08:22:16.937    Service scanning
08:22:56.798    Modules scanning
08:23:16.647    Disk 0 trace - called modules:
08:23:16.669    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
08:23:16.673    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87224ac8]
08:23:16.676    3 CLASSPNP.SYS[8b10b745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85d43028]
08:23:16.680    Scan finished successfully
08:23:48.123    Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
08:23:48.127    The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"
 
adwcleaner:
 
I Had been directed to this program previously. This was my first run:
 
# AdwCleaner v2.112 - Logfile created 02/15/2013 at 22:23:28
# Updated 10/02/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (32 bits)
# User : user - ARCHANGEL
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner0.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\AutocompleteProBHO
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [support@predictad.com]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Google Chrome v24.0.1312.57
 
*************************
 
AdwCleaner[S1].txt - [1957 octets] - [15/02/2013 22:23:28]
 
########## EOF - C:\AdwCleaner[S1].txt - [2017 octets] ##########
 
and my second after your programs was this:
 
# AdwCleaner v2.112 - Logfile created 02/16/2013 at 08:24:20
# Updated 10/02/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (32 bits)
# User : user - ARCHANGEL
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner0.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] Registry is clean.
 
-\\ Google Chrome v24.0.1312.57
 
*************************
 
AdwCleaner[S1].txt - [2086 octets] - [15/02/2013 22:23:28]
AdwCleaner[S2].txt - [619 octets] - [16/02/2013 08:24:20]
 
########## EOF - C:\AdwCleaner[S2].txt - [678 octets] ##########
 
 

Thank you again for all of your assistance



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 15 February 2013 - 07:22 PM

ComboFix

Download Combofix from the link below, and save it to your desktop.
Link

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 12:51 AM

Hi Jeffce,

 

I have downloaded Combofix and have followed the instructions listed as to how to deactivate my antivirus programs. I am currently getting a warning message saying that they are still active and I would be using combofix at my own risk. I have Norton Internet Security 2012,and the antivirus and antispyware aspects are being flagged.

 

Do you have any additional suggestions?

 

Thanks for your help,

Dombro



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 16 February 2013 - 10:38 AM

Hi,

 

Go ahead and boot to Safe Mode to run ComboFix.  If you get the warning about your A/V, continue past it.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 05:29 PM

Cheers!

 

Combofix:

 

ComboFix 13-02-13.02 - user 17/02/2013   9:02.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.3069.2597 [GMT 11:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\agent.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-16 to 2013-02-16  )))))))))))))))))))))))))))))))
.
.
2013-02-16 22:10 . 2013-02-16 22:10    --------    d-----w-    c:\users\user\AppData\Local\temp
2013-02-16 22:10 . 2013-02-16 22:10    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-02-16 21:55 . 2013-02-16 21:55    63115    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-02-16 21:55 . 2013-02-16 21:55    9310    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-02-16 21:55 . 2013-02-16 21:55    8646    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-02-16 21:55 . 2013-02-16 21:55    6429    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-02-16 21:55 . 2013-02-16 21:55    5927    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-02-16 21:55 . 2013-02-16 21:55    4599    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-02-16 21:55 . 2013-02-16 21:55    8613    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-02-16 21:55 . 2013-02-16 21:55    6910    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-02-16 21:55 . 2013-02-16 21:55    1651    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-02-16 21:55 . 2013-02-16 21:55    18541    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-02-16 21:54 . 2013-02-16 21:54    8288    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-02-16 21:54 . 2013-02-16 21:54    6208    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-02-16 21:54 . 2013-02-16 21:54    51852    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-02-16 21:54 . 2013-02-16 21:54    8782    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-02-16 21:54 . 2013-02-16 21:54    7271    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-02-16 21:54 . 2013-02-16 21:54    23327    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-02-16 21:54 . 2013-02-16 21:54    20719    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-01-19 21:40 . 2013-01-19 21:40    147456    --sha-r-    c:\windows\system32\XAudio2_03.dll
2013-01-19 21:40 . 2013-01-19 21:40    147456    --sha-r-    c:\windows\system32\acppagek.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 05:53 . 2008-12-12 04:30    189248    ----a-w-    c:\windows\system32\PnkBstrB.exe
2012-12-14 05:53 . 2008-12-12 04:29    75136    ----a-w-    c:\windows\system32\PnkBstrA.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2007-04-20 18:40    118784    ----a-w-    c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"TRCMan"="c:\program files\TOSHIBA\TRCMan\TRCMan.exe" [2008-01-11 692224]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-01-25 716800]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2009-12-20 3150848]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-07 274608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
"UDS"="d:\unicorn\Bin\Uds.exe" [2011-04-14 73783]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-1-26 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-15 13:00    1607120    ----a-w-    c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-16 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-03-02 05:50]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-15 13:00]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-15 13:00]
.
2013-02-16 c:\windows\Tasks\Havburp.job
- c:\windows\system32\XAudio2_03.dll [2013-01-19 21:40]
.
2013-02-16 c:\windows\Tasks\Hmuqfdzfkv.job
- c:\windows\system32\acppagek.dll [2013-01-19 21:40]
.
2013-02-14 c:\windows\Tasks\ReclaimerUpdateFiles_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
2013-02-13 c:\windows\Tasks\ReclaimerUpdateXML_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
2013-02-16 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://au.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-17 09:10
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????????????????????????  ??H  
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.1.0.24\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1370787248-1243960863-1347850101-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:5a,ab,7f,f3,9d,28,96,e6,22,20,72,7f,9e,ca,31,9b,8a,8a,4c,ac,25,69,45,
   d4,88,36,d9,02,5d,95,8e,6a,a9,5c,cb,bc,86,ff,a3,ae,7e,df,8f,90,c5,73,47,6f,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
[HKEY_USERS\S-1-5-21-1370787248-1243960863-1347850101-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,48,90,df,80,4c,04,f8,a0,c3,01,7e,d7,75,4b,1c,d1,24,ca,cc,35,
   98,db,1e,ce,04,54,2d,e0,2d,8a,a0,56,4d,4d,47,0c,78,8d,0b,c9,72,47,7f,38,63,\
"rkeysecu"=hex:fd,b0,94,db,5e,3a,28,c9,d7,47,d8,73,e9,23,52,22
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(844)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
Completion time: 2013-02-17  09:11:40
ComboFix-quarantined-files.txt  2013-02-16 22:11
ComboFix2.txt  2013-02-15 12:02
.
Pre-Run: 54,906,253,312 bytes free
Post-Run: 54,775,631,872 bytes free
.
- - End Of File - - 6E51D5FA21C7212EF9B38B7B53985625


#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 16 February 2013 - 05:38 PM

Hi,

ComboFix
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:

    ClearJavaCache::

    File::
    c:\windows\Tasks\Havburp.job
    c:\windows\Tasks\Hmuqfdzfkv.job
    c:\windows\system32\XAudio2_03.dll
    c:\windows\system32\acppagek.dll

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 0 (0x0)

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Post the contents of the log in your next reply.
  • CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------

    Post the new ComboFix log and let me know how your system is running now. smile.png

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 07:44 PM

ComboFix 13-02-13.02 - user 17/02/2013   9:59.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.61.1033.18.3069.2601 [GMT 11:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\windows\system32\acppagek.dll"
"c:\windows\system32\XAudio2_03.dll"
"c:\windows\Tasks\Havburp.job"
"c:\windows\Tasks\Hmuqfdzfkv.job"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\acppagek.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\XAudio2_03.dll
c:\windows\Tasks\Havburp.job
c:\windows\Tasks\Hmuqfdzfkv.job
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-16 to 2013-02-16  )))))))))))))))))))))))))))))))
.
.
2013-02-16 23:06 . 2013-02-16 23:06    --------    d-----w-    c:\users\user\AppData\Local\temp
2013-02-16 23:06 . 2013-02-16 23:06    --------    d-----w-    c:\users\Default\AppData\Local\temp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 05:53 . 2008-12-12 04:30    189248    ----a-w-    c:\windows\system32\PnkBstrB.exe
2012-12-14 05:53 . 2008-12-12 04:29    75136    ----a-w-    c:\windows\system32\PnkBstrA.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2007-04-20 18:40    118784    ----a-w-    c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"TRCMan"="c:\program files\TOSHIBA\TRCMan\TRCMan.exe" [2008-01-11 692224]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2008-01-24 671744]
"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]
"HDMICtrlMan"="c:\program files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe" [2008-01-25 716800]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-26 413696]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2009-12-20 3150848]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-07 274608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-26 421736]
"UDS"="d:\unicorn\Bin\Uds.exe" [2011-04-14 73783]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-1-26 2938184]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-15 13:00    1607120    ----a-w-    c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-16 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2011-03-02 05:50]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-15 13:00]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-15 13:00]
.
2013-02-14 c:\windows\Tasks\ReclaimerUpdateFiles_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
2013-02-13 c:\windows\Tasks\ReclaimerUpdateXML_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
2013-02-16 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_user.job
- c:\users\user\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2013-02-02 10:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://au.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-17 10:06
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????????????????????????  ??H  
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.1.0.24\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.1.0.24\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1370787248-1243960863-1347850101-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:5a,ab,7f,f3,9d,28,96,e6,22,20,72,7f,9e,ca,31,9b,8a,8a,4c,ac,25,69,45,
   d4,88,36,d9,02,5d,95,8e,6a,a9,5c,cb,bc,86,ff,a3,ae,7e,df,8f,90,c5,73,47,6f,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
[HKEY_USERS\S-1-5-21-1370787248-1243960863-1347850101-1003\Software\SecuROM\License information*]
"datasecu"=hex:df,48,90,df,80,4c,04,f8,a0,c3,01,7e,d7,75,4b,1c,d1,24,ca,cc,35,
   98,db,1e,ce,04,54,2d,e0,2d,8a,a0,56,4d,4d,47,0c,78,8d,0b,c9,72,47,7f,38,63,\
"rkeysecu"=hex:fd,b0,94,db,5e,3a,28,c9,d7,47,d8,73,e9,23,52,22
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1556)
c:\program files\TrueSuite Access Manager\IconOvrly.dll
.
Completion time: 2013-02-17  10:08:13
ComboFix-quarantined-files.txt  2013-02-16 23:08
ComboFix2.txt  2013-02-16 22:11
ComboFix3.txt  2013-02-15 12:02
 
.
Pre-Run: 54,981,980,160 bytes free
Post-Run: 54,947,725,312 bytes free
.
- - End Of File - - E98867EB742B5138F2825D945C0569D2
 
------
I can't connect to the internet with my laptop anymore.... My wireless capabilities are gone sad.png help? 

Edited by Dombro, 16 February 2013 - 07:45 PM.


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 16 February 2013 - 07:56 PM

If you need to download the tools from another computer and transfer them please do so...
 
 
FSS.jpg Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

----------


Edited by jeffce, 16 February 2013 - 07:57 PM.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 08:03 PM

Thank you for your continued patience with me, I'm clearly not a technological ninja :)

 

 

log:

 

 

Farbar Service Scanner Version: 15-02-2013
Ran by user (administrator) on 17-02-2013 at 11:59:40
Running from "F:\"
Windows Vista ™ Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline
There is no connection to network.
Attempt to access Google IP returned error. 
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. 
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2008-12-07 05:25] - [2008-04-26 19:26] - 0891448 ____A (Microsoft Corporation) 82E266BEE5F0167E41C6ECFDD2A79C02
 
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2008-01-21 13:24] - [2008-01-21 13:24] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B
 
C:\Windows\system32\bfe.dll
[2008-01-21 13:23] - [2008-01-21 13:23] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697
 
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2008-01-21 13:23] - [2008-01-21 13:23] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23
 
C:\Windows\system32\wscsvc.dll
[2008-01-21 13:23] - [2008-01-21 13:23] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C
 
C:\Windows\system32\wbem\WMIsvc.dll
[2008-01-21 13:24] - [2008-01-21 13:24] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5
 
C:\Windows\system32\wuaueng.dll
[2008-12-04 14:18] - [2008-10-17 08:13] - 1809944 ____A (Microsoft Corporation) 84A03BFE004B06E93408618976DC9C14
 
C:\Windows\system32\qmgr.dll
[2008-01-21 13:25] - [2008-01-21 13:25] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D
 
C:\Windows\system32\es.dll
[2008-01-21 13:24] - [2008-01-21 13:24] - 0262144 ____A (Microsoft Corporation) F4BF4FA769DB51B106D2B4B35256988B
 
C:\Windows\system32\cryptsvc.dll
[2008-01-21 13:24] - [2008-01-21 13:24] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678
 
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 16 February 2013 - 08:10 PM

That looks fine.

 

Go to Start > Control Panel > System > Device Manager and once there check to see if there are any warning triangles or error messages.  If there are, let me know what they say.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 08:23 PM

There are two network adapters with little ! triangles

 

1)

isatap.{*letters/numbers*}

 

2)

Microsoft 6 to 4 Adapter #4

 

When I go into device settings, they both say that the device is not working because Windows cannot load the drivers for this device, (Code 31)

 

 

On a side note, I'm in the process of running a spybot S&D check and the registry change warning has not reappeared. Thank you so much for your help :)



#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:52 PM

Posted 16 February 2013 - 08:29 PM

Do you happen to have the disks that came with your system when you got the system?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 Dombro

Dombro
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:52 PM

Posted 16 February 2013 - 08:31 PM

Sadly, no :( What should I do now?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users