also @ TechSpot: Nvidia GeForce GTX 780 Review

[A] Tdx.sys got virus and put into chest. No internet

Discussion in 'Virus and Malware Removal' started by BeezNeezy, Jan 10, 2012.

Page 1 of 3

  1. BeezNeezy Newcomer, in training Posts: 23

    The title pretty much says it all. I have no idea what to do and could use some help.
    BeezNeezy, Jan 10, 2012
    #1

  2. Broni Malware Annihilator Posts: 39,398   +177

    Welcome aboard [IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
    Broni, Jan 10, 2012
    #2

  3. BeezNeezy Newcomer, in training Posts: 23

    Farbar Service Scanner
    Ran by Matt (administrator) on 11-01-2012 at 06:53:03
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    tdx Service is not running. Checking service configuration:
    The start type of tdx service is OK.
    The ImagePath of tdx service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


    Windows Update:
    ===========

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2010-04-02 18:29] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
    BeezNeezy, Jan 11, 2012
    #3

  4. Broni Malware Annihilator Posts: 39,398   +177

    Please run Farbar Service Scanner.
    Type the following in the edit box after "Search:".

    tdx.sys

    Click Search Files button and post the log (FSS.txt) it makes to your reply.
    Broni, Jan 11, 2012
    #4

  5. BeezNeezy Newcomer, in training Posts: 23

    Farbar Service Scanner
    Ran by Matt (administrator) on 11-01-2012 at 13:45:50
    Windows Vista (TM) Home Premium Service Pack 2 (X86)

    ************************************************
    ================== Search: "tdx.sys" ===================

    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys
    [2008-01-20 21:24] - [2008-01-20 21:24] - 0071680 ____A (Microsoft Corporation) D09276B1FAB033CE1D40DCBDF303D10F

    ====== End Of Search ======
    BeezNeezy, Jan 11, 2012
    #5

  6. Broni Malware Annihilator Posts: 39,398   +177

    Download following batch file: http://www.filedropper.com/fix_7
    Double click on it to run the fix.
    Command prompt window will open briefly.

    Restart computer, check on internet connection, post new FSS log.
    Broni, Jan 11, 2012
    #6
     

  7. BeezNeezy Newcomer, in training Posts: 23

    Still no internet. It just says identifying local access only.

    Farbar Service Scanner
    Ran by Matt (administrator) on 11-01-2012 at 14:35:01
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    tdx Service is not running. Checking service configuration:
    The start type of tdx service is OK.
    The ImagePath of tdx service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    Attention! C:\Windows\system32\Drivers\tdx.sys is missing.
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2010-04-02 18:29] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2010-04-02 18:30] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
    BeezNeezy, Jan 11, 2012
    #7

  8. Broni Malware Annihilator Posts: 39,398   +177

    Something keep removing that file.

    Your computer must be still infected.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Broni, Jan 11, 2012
    #8

  9. BeezNeezy Newcomer, in training Posts: 23

    Here are the logs.

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2011.12.24.05

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19170
    Matt :: MATT-PC [administrator]

    Protection: Enabled

    1/11/2012 3:21:22 PM
    mbam-log-2012-01-11 (15-30-43).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 183027
    Time elapsed: 7 minute(s), 19 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 21
    HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> No action taken.
    HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> No action taken.
    HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> No action taken.
    HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBAF53D4-11FE-482D-B516-B3103BC71F87} (Trojan.BHO) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

    Registry Values Detected: 3
    HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\Matt\AppData\Local\qrb.exe" -a "%1" %* -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Agent) -> Data: C:\Users\Matt\AppData\Local\Temp\csrss.exe -> No action taken.
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Data: explorer.exe,C:\Users\Matt\AppData\Roaming\dwm.exe -> No action taken.

    Registry Data Items Detected: 4
    HKCR\.exe| (PUM.HijackExefiles) -> Bad: (t1) Good: (exefile) -> No action taken.
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Matt\AppData\Local\qrb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
    HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Matt\AppData\Local\qrb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Matt\AppData\Local\qrb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

    Folders Detected: 10
    C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\FunWebProducts\Installr\setups (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

    Files Detected: 1
    C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.

    (end)
    BeezNeezy, Jan 11, 2012
    #9

  10. BeezNeezy Newcomer, in training Posts: 23

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-11 16:24:19
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60ZCT1 rev.13.01A13
    Running: pwicbcgb.exe; Driver: C:\Users\Matt\AppData\Local\Temp\kxldypow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91EDF7A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x91EDF5CC]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_22
    Run by Matt at 16:26:16 on 2012-01-11
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1943 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:55293
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.3.6\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.3.6\IPSBHO.DLL
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.3.6\coIEPlg.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    uRun: [Google Update] "c:\users\matt\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [conhost] c:\users\matt\appdata\roaming\microsoft\conhost.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [<NO NAME>]
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: real.com\rhap-app-4-0
    Trusted Zone: real.com\rhapreg
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    TCP: Interfaces\{3040888C-3CDA-4C02-8E8F-B0886B591632} : DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    TCP: Interfaces\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.3.6\CoIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\1ntqig7q.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 55293
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\1ntqig7q.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\matt\appdata\roaming\mozilla\firefox\profiles\1ntqig7q.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\matt\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\users\matt\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\matt\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008030.006\SymEFA.sys [2011-10-10 310320]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-12 314456]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008030.006\BHDrvx86.sys [2011-10-10 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008030.006\cchpx86.sys [2011-10-10 467592]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-12 20568]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-1-12 55128]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-12 44768]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-1-25 92216]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-11 652872]
    R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.3.6\ccSvcHst.exe [2011-10-10 117648]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-11 20464]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-12 435032]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== Created Last 30 ================
    .
    2012-01-11 20:20:08 -------- d-----w- c:\users\matt\appdata\roaming\Malwarebytes
    2012-01-11 20:19:58 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-11 20:19:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-11 20:19:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-10 20:18:08 -------- d-----w- c:\program files\DLLSuite
    2012-01-05 18:04:33 -------- d-----w- c:\programdata\AVAST Software
    2012-01-05 15:17:39 -------- d-----w- c:\users\matt\appdata\roaming\Internet Chess Club
    2012-01-05 15:17:35 -------- d-----w- c:\program files\Internet Chess Club
    2012-01-03 06:36:44 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7e7e09b2-5d54-49a5-b8d8-36346553799c}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
    2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-11-28 17:52:07 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-14 16:02:19 429056 ----a-w- c:\windows\system32\EncDec.dll
    .
    ============= FINISH: 16:27:02.26 ===============
    BeezNeezy, Jan 11, 2012
    #10

  11. BeezNeezy Newcomer, in training Posts: 23

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/28/2010 9:45:09 PM
    System Uptime: 1/11/2012 3:32:09 PM (1 hours ago)
    .
    Motherboard: Wistron | | 3612
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | CPU | 2000/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 287 GiB total, 5.508 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.76 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is FIXED (FAT32) - 466 GiB total, 38.847 GiB free.
    H: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    AC3Filter (remove only)
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player
    Amazon MP3 Downloader 1.0.12
    AnyDVD
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft TotalMedia Backup
    Atheros Driver Installation Program
    avast! Free Antivirus
    BlackBerry Desktop Software 5.0.1
    BlackBerry® Media Sync
    Bonjour
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    CloneDVD2
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    CyberLink DVD Suite
    CyberLink YouCam
    DivX Setup
    DLL Suite 1.0
    ESU for Microsoft Vista
    Free Audio Convert Wizard 3.7.2.1
    Google Chrome
    Google Talk Plugin
    HDAUDIO Soft Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Experience Enhancements
    HP Doc Viewer
    HP DVD Play 3.7
    HP Quick Launch Buttons 6.40 H2
    HP Support Assistant
    HP Total Care Advisor
    HP Update
    HP User Guides 0118
    HP Wireless Assistant
    HPAsset component for HP Active Support Library
    HPTCSSetup
    Intel(R) Graphics Media Accelerator Driver
    Intertops Poker
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 7
    JEOPARDY! (remove only)
    Juno Preloader
    K-Lite Codec Pack 6.5.0 (Basic)
    LabelPrint
    LightScribe System Software 1.14.17.1
    Malwarebytes Anti-Malware version 1.60.0.1800
    Media Player Codec Pack 3.9.6
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Live Search Toolbar
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Mozilla Firefox 8.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee Reveal
    My HP Games
    NetWaiting
    NetZero Preloader
    Norton Internet Security
    Out of the Park 8
    PokerStars
    Power2Go
    PowerDirector
    QuickTime
    Realtek Ethernet Controller Driver For Windows 7
    Realtek USB 2.0 Card Reader
    Rhapsody
    Roxio Media Manager
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Skype Toolbars
    Spelling Dictionaries Support For Adobe Reader 9
    SPORE Creature Creator Trial Edition
    Sportsbook.com
    Synaptics Pointing Device Driver
    System Requirements Lab for Intel
    Trader's Little Helper 2.6.0
    Tweak UI
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Office 2007 (KB934528)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.1.7
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Xvid 1.2.1 final uninstall
    .
    ==== End Of File ===========================
    BeezNeezy, Jan 11, 2012
    #11

  12. Broni Malware Annihilator Posts: 39,398   +177

    Broni, Jan 11, 2012
    #12

  13. BeezNeezy Newcomer, in training Posts: 23

    I must have saved the log before taking action on the problems. Hereis the new scan. I will be removing Norton while i wait for the next instruction.

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2011.12.24.05

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19170
    Matt :: MATT-PC [administrator]

    Protection: Enabled

    1/11/2012 6:32:28 PM
    mbam-log-2012-01-11 (18-32-28).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 183153
    Time elapsed: 9 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    BeezNeezy, Jan 12, 2012
    #13

  14. Broni Malware Annihilator Posts: 39,398   +177

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Jan 12, 2012
    #14

  15. BeezNeezy Newcomer, in training Posts: 23

    Tried to run 2 times. I get messages about rootkit.allaccess or something and the combofix needs to reboot machine.
    BeezNeezy, Jan 12, 2012
    #15

  16. Broni Malware Annihilator Posts: 39,398   +177

    Did you let it?
    Broni, Jan 12, 2012
    #16

  17. BeezNeezy Newcomer, in training Posts: 23

    Yeah. 2 times now. It is asking me to verify date and is telling me combofix has expired. PED is not recognized as a internal or external command,operable program or batch file
    BeezNeezy, Jan 12, 2012
    #17

  18. Broni Malware Annihilator Posts: 39,398   +177

    You need to delete your Combofix file and download fresh one.
    Broni, Jan 12, 2012
    #18

  19. BeezNeezy Newcomer, in training Posts: 23

    It is repeatedly happening. I get new Combofix file. It detects rootkit and reboots
    BeezNeezy, Jan 12, 2012
    #19

  20. Broni Malware Annihilator Posts: 39,398   +177

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.


    ===========================================================

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
    Broni, Jan 12, 2012
    #20
Page 1 of 3
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.